CVE-2013-5891: Oracle Critical Patch Update - January 2014

• Click to view our Accessibility Policy

• Skip to content

• Security Alerts

Oracle Critical Patch Update Advisory - January 2014****Description

A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:

Critical Patch Updates and Security Alerts for information about Oracle Security Advisories.

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. This Critical Patch Update contains 144 new security fixes across the product families listed below.

This Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle’s use of CVRF is available at: http://www.oracle.com/security-alerts/cpufaq.html#CVRF.

Affected Products and Components

Security vulnerabilities addressed by this Critical Patch Update affect the products listed in the categories below. The product area of the patches for the listed versions is shown in the Patch Availability column corresponding to the specified Products and Versions column. Please click on the link in the Patch Availability column below or in the Patch Availability Table to access the documentation for those patches.

The list of affected product releases and versions that are in Premier Support or Extended Support, under the Oracle Lifetime Support Policy is as follows:

Affected Products and Versions

Patch Availability

Oracle Database 11_g_ Release 1, version 11.1.0.7

Database

Oracle Database 11_g_ Release 2, versions 11.2.0.3, 11.2.0.4

Database

Oracle Database 12_c_ Release 1, version 12.1.0.1

Database

Oracle Fusion Middleware 11_g_ Release 1, versions 11.1.1.6, 11.1.1.7

Fusion Middleware

Oracle Fusion Middleware 11_g_ Release 2, versions 11.1.2.0, 11.1.2.1

Fusion Middleware

Oracle Fusion Middleware 12_c_ Release 2, version 12.1.2

Fusion Middleware

Oracle Enterprise Data Quality, versions 8.1, 9.0.8

Fusion Middleware

Oracle Forms and Reports 11_g_, Release 2, version 11.1.2.1

Fusion Middleware

Oracle GlassFish Server, version 2.1.1, Sun Java Application Server, versions 8.1, 8.2

Fusion Middleware

Oracle HTTP Server 11_g_, versions 11.1.1.6, 11.1.1.7

Fusion Middleware

Oracle HTTP Server 12_c_, version 12.1.2

Fusion Middleware

Oracle Identity Manager, versions 11.1.1.5, 11.1.1.7, 11.1.2.0, 11.1.2.1

Fusion Middleware

Oracle Internet Directory, versions 11.1.1.6, 11.1.1.7

Fusion Middleware

Oracle iPlanet Web Proxy Server, version 4.0

Fusion Middleware

Oracle iPlanet Web Server, versions 6.1, 7.0

Fusion Middleware

Oracle Outside In Technology, versions 8.4.0, 8.4.1

Fusion Middleware

Oracle Portal, version 11.1.1.6

Fusion Middleware

Oracle Reports Developer, versions 11.1.1.6, 11.1.1.7, 11.1.2.1

Fusion Middleware

Oracle Traffic Director, versions 11.1.1.6, 11.1.1.7

Fusion Middleware

Oracle WebCenter Portal versions 11.1.1.6.0, 11.1.1.7.0, 11.1.1.8.0

Fusion Middleware

Oracle WebCenter Sites versions 11.1.1.6.1, 11.1.1.8.0

Fusion Middleware

Oracle Hyperion Essbase Administration Services, versions 11.1.2.1, 11.1.2.2, 11.1.2.3

Fusion Middleware

Oracle Hyperion Strategic Finance, versions 11.1.2.1, 11.1.2.2

Fusion Middleware

Oracle E-Business Suite Release 11_i_, version 11.5.10.2

E-Business Suite

Oracle E-Business Suite Release 12_i_, versions 12.0.6, 12.1.1, 12.1.2, 12.1.3, 12.2.2

E-Business Suite

Oracle Agile Product Lifecycle Management for Process, versions 6.0, 6.1, 6.1.1

Oracle Supply Chain

Oracle AutoVue, versions 20.1.1

Oracle Supply Chain

Oracle Demantra Demand Management, versions 7.2.0.3 SQL-Server, 7.3.0, 7.3.1, 12.2.0, 12.2.1, 12.2.2, 12.2.3

Oracle Supply Chain

Oracle Transportation Management, versions 6.0, 6.1, 6.2, 6.3, 6.3.1, 6.3.2

Oracle Supply Chain

Oracle PeopleSoft Enterprise HRMS, versions 9.1.0, 9.2.0

PeopleSoft

Oracle PeopleSoft Enterprise HRMS Human Resources, versions 9.1, 9.2

PeopleSoft

Oracle PeopleSoft Enterprise PeopleTools, versions 8.52, 8.53

PeopleSoft

Oracle PeopleSoft Enterprise SCM Services Procurement, version 9.2

PeopleSoft

Oracle Siebel Core, versions 8.1.1, 8.2.2

Siebel

Oracle Siebel Life Sciences, versions 8.1.1, 8.2.2

Siebel

Oracle iLearning, version 6.0

iLearning

Oracle FLEXCUBE Private Banking, versions 1.7, 2.0, 2.0.1, 2.2.0.1, 3.0, 12.0.1, 12.0.2

Oracle FLEXCUBE

Oracle JavaFX, versions 2.2.45 and earlier

Oracle Java SE

Oracle Java JDK and JRE, versions 5.0u55 and earlier, 6u65 and earlier, 7u45 and earlier

Oracle Java SE

Oracle Java SE Embedded, versions 7u45 and earlier

Oracle Java SE

Oracle JRockit, versions R27.7.7 and earlier, R28.2.9 and earlier

Oracle Java SE

Oracle Solaris versions 8, 9, 10, 11.1

Oracle and Sun Systems Products Suite

Oracle Secure Global Desktop, versions 4.63.x, 4.71.x, 5.0.x, 5.10

Oracle Linux and Virtualization

Oracle VM VirtualBox, versions prior to 3.2.20, 4.0.22, 4.1.30, 4.2.20, 4.3.6

Oracle Linux and Virtualization

Oracle MySQL Enterprise Monitor, versions 2.3, 3.0

Oracle MySQL Product Suite

Oracle MySQL Server, versions 5.1, 5.5, 5.6

Oracle MySQL Product Suite

Patch Availability Table and Risk Matrices****Products with Cumulative Patches

The Oracle Database, Oracle Fusion Middleware, Oracle Enterprise Manager Grid Control, Oracle E-Business Suite Applications, JD Edwards EnterpriseOne, JD Edwards OneWorld Tools, PeopleSoft Enterprise Portal Applications, PeopleSoft Enterprise PeopleTools, Siebel Enterprise, Industry Applications, Primavera and Oracle VM patches in the Critical Patch Updates are cumulative. In other words, patches for any of these products included in a Critical Patch Update will include all fixes for that product from the previous Critical Patch Updates. For more information about cumulative and non-cumulative patches, check the patch availability documents in the table below for the respective product groups.

Patch Availability Table

For each administered Oracle product, consult the documentation for patch availability information and installation instructions referenced from the following table. For an overview of the Oracle product documentation related to this Critical Patch Update, please refer to the Oracle Critical Patch Update January 2014 Documentation Map, My Oracle Support Note 1592294.1.

Product Group

Risk Matrix

Patch Availability and Installation Information

Oracle Database

Oracle Database Risk Matrix

Patch Set Update and Critical Patch Update January 2014 Availability Document, My Oracle Support Note 1594621.1

Oracle Fusion Middleware

Oracle Fusion Middleware Risk Matrix

Patch Set Update and Critical Patch Update January 2014 Availability Document, My Oracle Support Note 1594621.1

Oracle Applications - E-Business Suite

Oracle E-Business Suite Risk Matrix

Oracle E-Business Suite Releases 11_i_ and 12 Critical Patch Update Knowledge Document (January 2014), My Oracle Support Note 1605340.1

Oracle Applications - Oracle Supply Chain, PeopleSoft Enterprise, Siebel and iLearning Products Suite

Oracle Supply Chain Risk Matrix
Oracle PeopleSoft Enterprise Risk Matrix
Oracle Siebel CRM Risk Matrix
Oracle iLearning Products Risk Matrix

Critical Patch Update Knowledge Document for Oracle Supply Chain, PeopleSoft Enterprise, Siebel and iLearning Products suite, My Oracle Support Note 1608821.1

Oracle FLEXCUBE Products Suite

Oracle Financial Services Software Risk Matrix

Contact Oracle Customer Support for patches, https://support.oracle.com

Oracle Java

Oracle JDK and JRE Risk Matrix

• Critical Patch Update January 2014 Patch Availability Document for Java, My Oracle Support Note 1607034.1
• Users running Java SE with a browser can download the latest release from http://java.com. Users on the Windows and Mac OS X platforms can also use automatic updates to get the latest release.
• The latest JavaFX release is included with the latest update of JDK and JRE 7.

Oracle and Sun Systems Products Suite

Oracle and Sun Systems Products Suite Risk Matrix

Critical Patch Update January 2014 Patch Delivery Document for Oracle and Sun Systems Product Suite, My Oracle Support Note 1607615.1

Oracle Linux and Virtualization Products

Oracle Linux and Virtualization Products Risk Matrix

Patch Set Update and Critical Patch Update January 2014 Availability Document, My Oracle Support Note 1608471.1

Oracle MySQL

Oracle MySQL Risk Matrix

Critical Patch Update January 2014 Patch Availability Document for Oracle MySQL Products My Oracle Support Note 1609570.1

Risk Matrix Content

Risk matrices list only security vulnerabilities that are newly fixed by the patches associated with this advisory. Risk matrices for previous security fixes can be found in previous Critical Patch Update advisories. An English text version of the risk matrices provided in this document is available here.

Several vulnerabilities addressed in this Critical Patch Update affect multiple products. Each vulnerability is identified by a CVE# which is a unique identifier for a vulnerability. A vulnerability that affects multiple products will appear with the same CVE# in all risk matrices. Italics indicate vulnerabilities in code included from other product areas.

Security vulnerabilities are scored using CVSS version 2.0 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS 2.0). Oracle conducts an analysis of each security vulnerability addressed by a Critical Patch Update (CPU). Oracle does not disclose information about the security analysis, but the resulting Risk Matrix and associated documentation provide information about the type of vulnerability, the conditions required to exploit it, and the potential impact of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage. For more information, see Oracle vulnerability disclosure policies.

The protocol in the risk matrix implies that all of its secure variants (if applicable) are affected as well. For example, if HTTP is listed as an affected protocol, it implies that HTTPS (if applicable) is also affected.The secure variant of a protocol is listed in the risk matrix only if it is the only variant affected, e.g. HTTPS will typically be listed for vulnerabilities in SSL and TLS.

Workarounds

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. Until you apply the CPU fixes, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem.

Skipped Critical Patch Updates

Oracle strongly recommends that customers apply security fixes as soon as possible. For customers that have skipped one or more Critical Patch Updates and are concerned about products that do not have security fixes announced in this CPU, please review previous Critical Patch Update advisories to determine appropriate actions.

Product Dependencies

Oracle products may have dependencies on other Oracle products. Hence security vulnerability fixes announced in this Critical Patch Update may affect one or more dependent Oracle products. For details regarding these dependencies and how to apply patches to dependent products, please refer to Patch Set Update and Critical Patch Update January 2014 Availability Document, My Oracle Support Note 1594621.1.

Critical Patch Update Supported Products and Versions

Patches released through the Critical Patch Update program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. We recommend that customers plan product upgrades to ensure that patches released through the Critical Patch Update program are available for the versions they are currently running.

Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Critical Patch Update. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.

Supported Database, Fusion Middleware, Oracle Enterprise Manager Base Platform (formerly “Oracle Enterprise Manager Grid Control”) and Collaboration Suite products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.

Products in Extended Support

Patches released through the Critical Patch Update program are available to customers who have purchased Extended Support under the Lifetime Support Policy. Customers must have a valid Extended Support service contract to download patches released through the Critical Patch Update program for products in the Extended Support Phase.

Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Critical Patch Update to Oracle: Adam Willard of Foreground Security; Alexander Kornbrust of Red Database Security; Alexey Tyurin of ERPScan (Digital Security Research Group); Apple Inc.; Arseniy Akuney of TELUS Security Labs; Borked of the Google Security Team; Carlo Di Dato of iDefense; Christopher Meyer of Ruhr-University Bochum; Daniel EkBerg of Kentor AB Sweden; Esteban Martinez Fayo formerly of Application Security Inc.; Fernando Muñoz; Information Security Office for the University of Texas at Austin; John Leitch working with HP’s Zero Day Initiative; Joseph Sheridan of Reactionis; Juraj Somorovsky of Ruhr-University Bochum; Matthew Daley; Oliver Gruskovnjak of Portcullis Inc; Sam Thomas of Pentest Limited; Sebastian Schinzel of University of Applied Sciences Münster; Tanel Poder; Will Dormann of CERT/CC; and Yuki Chen of Trend Micro.

Security-In-Depth Contributors

Oracle provides recognition to people that have contributed to our Security-In-Depth program (see FAQ). People are recognized for Security-In-Depth contributions if they provide information, observations or suggestions pertaining to security vulnerability issues that result in significant modification of Oracle code or documentation in future releases, but are not of such a critical nature that they are distributed in Critical Patch Updates.

In this Critical Patch Update Advisory, Oracle recognizes Moez Roy; Owais Mohammad Khan formerly of KPMG; Tor Erling Bjorstad; and Yash Kadakia of Security Brigade for contributions to Oracle’s Security-In-Depth program.

On-Line Presence Security Contributors

Oracle provides recognition to people that have contributed to our On-Line Presence Security program (see FAQ). People are recognized for contributions relating to Oracle’s on-line presence if they provide information, observations or suggestions pertaining to security-related issues that result in significant modification to Oracle’s on-line external-facing systems.

For this quarter, Oracle recognizes Abdullah Hussam Gazi; Adam Willard of Foreground Security; Ali Hasan Ghauri; Ali Hussein of Help AG Middle East; Anand Tiwari; Ben Khlifa Fahmi; Dibyendu Sikdar; Griffin Francis; James Pearson; Johnathan Simon; Koutrouss Naddara of Kotros Nadara; Mohammed Osman; Muhammad Talha Khan; Osanda Malith Jayathissa; Peter Jaric; Rafay Baloch; Rakesh Singh of Zero Day Guys; Sky_BlaCk; Sunil Dadhich; Suraj Radhakrishnan; and Vishnu Patel for contributions to Oracle’s On-Line Presence Security program.

Critical Patch Update Schedule

Critical Patch Updates are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

• 15 April 2014
• 15 July 2014
• 14 October 2014
• 20 January 2015

References

• Oracle Critical Patch Updates and Security Alerts main page [ Oracle Technology Network ]
• Critical Patch Update - January 2014 Documentation Map [ My Oracle Support Note 1592294.1 ]
• Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions [ CPU FAQ ]
• Risk Matrix definitions [ Risk Matrix Definitions ]
• Use of Common Vulnerability Scoring System (CVSS) by Oracle [ Oracle CVSS Scoring ]
• English text version of the risk matrices [ Oracle Technology Network ]
• CVRF XML version of the risk matrices [ Oracle Technology Network ]
• List of public vulnerabilities fixed in Critical Patch Updates and Security Alerts [ Oracle Technology Network ]
• Software Error Correction Support Policy [ My Oracle Support Note 209768.1 ]

Modification History

2014-January-14

Rev 1. Initial Release

Appendix - Oracle Database Server****Oracle Database Server Executive Summary

This Critical Patch Update contains 5 new security fixes for the Oracle Database Server. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. None of these fixes are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.

Oracle Database Server Risk Matrix

CVE#

Component

Protocol

Package and/or Privilege Required

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen-tication

Confiden-tiality

Integrity

Avail-ability

CVE-2013-5853

Core RDBMS

Oracle Net

-

Yes

5.0

Network

Low

None

None

None

Partial

11.1.0.7, 11.2.0.3, 12.1.0.1

CVE-2014-0378

Spatial

Oracle Net

Local Login, Create Session

No

4.1

Local

Medium

Single

Partial

Partial

Partial

11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1

CVE-2014-0377

Core RDBMS

Oracle Net

Create Session, Create Role, Create User, Select privilege on SYS tables.

No

4.0

Network

Low

Single

Partial

None

None

11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1

CVE-2013-5858

Core RDBMS

Oracle Net

Create Session, Create View

No

4.0

Network

Low

Single

None

Partial

None

11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1

CVE-2013-5764

Core RDBMS

Oracle Net

Create Session, Alter Session

No

3.5

Network

Medium

Single

None

None

Partial+

11.1.0.7, 11.2.0.3, 12.1.0.1

Appendix - Oracle Fusion Middleware****Oracle Fusion Middleware Executive Summary

This Critical Patch Update contains 22 new security fixes for Oracle Fusion Middleware. 19 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Fusion Middleware products include Oracle Database components that can be exploited by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security fixes are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle customers should apply the January 2014 Critical Patch Update to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update January 2014 Patch Availability Document for Oracle Products, My Oracle Support Note 1594621.1.

Oracle Fusion Middleware Risk Matrix

CVE#

Component

Protocol

Sub- component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen-tication

Confiden-tiality

Integrity

Avail-ability

CVE-2013-4316

Oracle WebCenter Sites

HTTP

WebCenter Sites Community

Yes

10.0

Network

Low

None

Complete

Complete

Complete

11.1.1.6.1, 11.1.1.8.0

See Note 1

CVE-2013-5785

Oracle Reports Developer

HTTP

Security and Authentication

Yes

7.5

Network

Low

None

Partial+

Partial+

Partial+

11.1.1.6, 11.1.1.7, 11.1.2.1

See Note 2

CVE-2007-0009

Oracle HTTP Server

HTTPS

OSSL Module

Yes

6.8

Network

Medium

None

Partial

Partial

Partial

OHS: 11.1.1.6.0, 11.1.1.7.0 Oracle Forms and Reports: 11.1.2.1

See Note 3

CVE-2014-0400

Oracle Internet Directory

HTTP

OID LDAP server

No

6.3

Network

Medium

Single

Complete

None

None

11.1.1.6, 11.1.1.7

CVE-2013-1862

Oracle HTTP Server

HTTP

Web Listener

Yes

5.1

Network

High

None

Partial

Partial

Partial

OHS: 11.1.1.6.0, 11.1.1.7.0, 12.1.2.0 Oracle Forms and Reports: 11.1.2.1

CVE-2012-3544

Oracle Enterprise Data Quality

HTTP

Internal Operations

Yes

5.0

Network

Low

None

None

None

Partial

8.1, 9.0.8

See Note 4

CVE-2013-1654

Oracle HTTP Server

HTTPS

OSSL Module

Yes

5.0

Network

Low

None

None

Partial

None

OHS: 11.1.1.6.0, 11.1.1.7.0 Oracle Forms and Reports: 11.1.2.1 Fusion Middleware: 10.1.3.5.0

CVE-2012-4605

Oracle HTTP Server

HTTPS

OSSL Module

Yes

5.0

Network

Low

None

Partial

None

None

OHS: 11.1.1.6.0, 11.1.1.7.0 Oracle Forms and Reports: 11.1.2.1

See Note 5

CVE-2014-0391

Oracle Identity Manager

HTTP

End User Self Service

Yes

5.0

Network

Low

None

Partial

None

None

11.1.1.5, 11.1.1.7, 11.1.2.0, 11.1.2.1

CVE-2013-5869

Oracle WebCenter Portal

HTTP

Page Service

Yes

5.0

Network

Low

None

Partial

None

None

11.1.1.6.0, 11.1.1.7.0, 11.1.1.8.0

CVE-2013-1620

Oracle GlassFish Server

HTTPS

Security

Yes

4.3

Network

Medium

None

Partial

None

None

GlassFish Enterprise Server 2.1.1, Sun Java Application Server 8.1, 8.2

CVE-2012-3499

Oracle HTTP Server

HTTP

Web Listener

Yes

4.3

Network

Medium

None

None

Partial

None

OHS: 11.1.1.6.0, 11.1.1.7.0 Oracle Forms and Reports: 11.1.2.1

See Note 6

CVE-2013-5900

Oracle Identity Manager

HTTP

End User Self Service

Yes

4.3

Network

Medium

None

None

Partial

None

11.1.1.5, 11.1.1.7, 11.1.2.0, 11.1.2.1

CVE-2013-5901

Oracle Identity Manager

HTTP

Identity Console

Yes

4.3

Network

Medium

None

Partial+

None

None

11.1.2.0, 11.1.2.1

CVE-2014-0374

Oracle Portal

HTTP

Page Parameters and Events

Yes

4.3

Network

Medium

None

None

Partial

None

11.1.1.6

CVE-2013-1620

Oracle Traffic Director

HTTPS

Security

Yes

4.3

Network

Medium

None

Partial

None

None

11.1.1.6, 11.1.1.7

CVE-2013-1620

Oracle iPlanet Web Proxy Server

HTTPS

Security

Yes

4.3

Network

Medium

None

Partial

None

None

4.0

CVE-2013-1620

Oracle iPlanet Web Server

HTTPS

Security

Yes

4.3

Network

Medium

None

Partial

None

None

6.1, 7.0

CVE-2014-0383

Oracle Identity Manager

HTTP

Identity Console

No

3.5

Network

Medium

Single

Partial

None

None

11.1.2.0, 11.1.2.1

CVE-2007-1858

Oracle HTTP Server

HTTPS

OSSL Module

Yes

2.6

Network

High

None

Partial

None

None

OHS: 11.1.1.6.0, 11.1.1.7.0 Oracle Forms and Reports: 11.1.2.1

CVE-2013-5808

Oracle iPlanet Web Proxy Server

HTTP

Administration

Yes

2.6

Network

High

None

Partial

None

None

4.0

CVE-2013-5879

Oracle Outside In Technology

HTTP

Outside In Maintenance

No

1.5

Local

Medium

Single

None

None

Partial

8.4.0, 8.4.1

See Note 7

Notes:

1. The following CVEs are fixed as a result of upgrading to Struts 2.3.15.3: CVE-2013-4316, CVE-2013-2251, CVE-2013-2248, CVE-2013-2135 and CVE-2013-2134. The CVSS score is taken from http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4316.
2. Please refer to Doc ID My Oracle Support Note 1608683.1 for instructions on how to address this issue.
3. This fix also addresses CVE-2007-0008.
4. Please refer to Doc ID My Oracle Support Note 1595538.1 for instructions on how to address this issue.
5. This fix also addresses CVE-2006-0998 and CVE-2006-0999.
6. This fix also addresses CVE-2012-4558.
7. Outside In Technology is a suite of software development kits (SDKs). It does not have any particular associated protocol. If the hosting software passes data received over the network to Outside In Technology code, the CVSS Base Score would increase to 6.8.

Appendix - Oracle Hyperion****Oracle Hyperion Executive Summary

This Critical Patch Update contains 2 new security fixes for Oracle Hyperion. Neither of these vulnerabilities may be remotely exploitable without authentication, i.e., neither may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Hyperion Risk Matrix

CVE#

Component

Protocol

Sub- component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen-tication

Confiden-tiality

Integrity

Avail-ability

CVE-2013-3830

Hyperion Strategic Finance

Microsoft RPC

Server

No

7.1

Network

High

Single

Complete

Complete

Complete

11.1.2.1, 11.1.2.2

CVE-2014-0367

Hyperion Essbase Administration Services

HTTP

Admin Console

No

5.5

Network

Low

Single

Partial

Partial

None

11.1.2.1, 11.1.2.2, 11.1.2.3

Appendix - Oracle Applications****Oracle E-Business Suite Executive Summary

This Critical Patch Update contains 4 new security fixes for the Oracle E-Business Suite. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that can be exploited by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle customers should apply the January 2014 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Releases 11i and 12 Critical Patch Update Knowledge Document (January 2014), My Oracle Support Note 1605340.1.

Oracle E-Business Suite Risk Matrix

CVE#

Component

Protocol

Sub- component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen-tication

Confiden-tiality

Integrity

Avail-ability

CVE-2013-5890

Oracle Payroll

HTTP

Exception Reporting

No

5.5

Network

Low

Single

Partial+

Partial+

None

11.5.10.2, 12.0.6, 12.1.1, 12.1.2, 12.1.3, 12.2.2

CVE-2014-0398

Oracle Application Object Library

HTTP

Discoverer

Yes

5.0

Network

Low

None

Partial

None

None

11.5.10.2, 12.0.6, 12.1.3, 12.2.2

CVE-2014-0366

Oracle Applications Framework

HTTP

Attachments

No

4.0

Network

Low

Single

Partial

None

None

11.5.10.2, 12.0.6, 12.1.3, 12.2.2

CVE-2013-5874

Oracle Application Object Library

None

Logging

No

1.7

Local

Low

Single

Partial

None

None

11.5.10.2, 12.0.6, 12.1.3, 12.2.2

Oracle Supply Chain Products Suite Executive Summary

This Critical Patch Update contains 16 new security fixes for the Oracle Supply Chain Products Suite. 6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Supply Chain Products Suite Risk Matrix

CVE#

Component

Protocol

Sub- component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen-tication

Confiden-tiality

Integrity

Avail-ability

CVE-2013-5897

Oracle Agile Product Lifecycle Management for Process

HTTP

Manage Data Cache

No

5.5

Network

Low

Single

Partial+

Partial+

None

6.0, 6.1, 6.1.1

CVE-2014-0372

Oracle Demantra Demand Management

HTTP

DM Others

No

5.5

Network

Low

Single

Partial+

Partial+

None

7.2.0.3 SQL-Server, 7.3.0, 7.3.1, 12.2.0, 12.2.1, 12.2.2

CVE-2013-5877

Oracle Demantra Demand Management

HTTP

DM Others

Yes

5.0

Network

Low

None

Partial

None

None

7.2.0.3 SQL-Server, 7.3.0, 7.3.1, 12.2.0, 12.2.1

CVE-2013-5880

Oracle Demantra Demand Management

HTTP

DM Others

Yes

5.0

Network

Low

None

Partial

None

None

12.2.0, 12.2.1, 12.2.2

CVE-2013-5795

Oracle Demantra Demand Management

HTTP

DM Others

Yes

5.0

Network

Low

None

Partial+

None

None

7.2.0.3 SQL-Server, 7.3.0, 7.3.1, 12.2.0, 12.2.1, 12.2.2, 12.2.3

CVE-2012-3544

Oracle Transportation Management

HTTP

Application Server

Yes

5.0

Network

Low

None

None

None

Partial

6.0, 6.1, 6.2, 6.3, 6.3.1, 6.3.2

CVE-2014-0434

Oracle Agile Product Lifecycle Management for Process

HTTP

Installation

Yes

4.3

Network

Medium

None

None

Partial

None

6.0, 6.1, 6.1.1

CVE-2014-0379

Oracle Demantra Demand Management

HTTP

DM Others

Yes

4.3

Network

Medium

None

None

Partial

None

7.2.0.3 SQL-Server, 7.3.0.x, 7.3.1.x, 12.2.0, 12.2.1, 12.2.2

CVE-2013-2067

Oracle Transportation Management

HTTP

Application Server

No

4.0

Network

Low

Single

Partial+

None

None

6.0, 6.1, 6.2, 6.3, 6.3.1, 6.3.2

CVE-2013-2071

Oracle Transportation Management

HTTP

Application Server

No

4.0

Network

Low

Single

Partial

None

None

6.0, 6.1, 6.2, 6.3, 6.3.1, 6.3.2

CVE-2014-0399

Oracle Transportation Management

HTTP

Data, Domain & Function Security

No

4.0

Network

Low

Single

Partial

None

None

6.2, 6.3, 6.3.1, 6.3.2

CVE-2014-0435

Oracle Transportation Management

HTTP

Data, Domain & Function Security

No

4.0

Network

Low

Single

None

None

Partial

6.1, 6.2, 6.3, 6.3.1, 6.3.2

CVE-2013-5871

Oracle AutoVue

HTTP

Web General

No

3.5

Network

Medium

Single

Partial

None

None

20.1.1

CVE-2013-5868

Oracle AutoVue

HTTP

Web General

No

3.5

Network

Medium

Single

Partial+

None

None

20.1.1

CVE-2014-0444

Oracle AutoVue

HTTP

Web General

No

3.5

Network

Medium

Single

Partial

None

None

20.1.1

CVE-2014-0371

Oracle Demantra Demand Management

HTTP

DM Others

No

3.5

Network

Medium

Single

None

Partial

None

7.2.0.3 SQL-Server, 7.3.0.x, 7.3.1.x, 12.2.0, 12.2.1, 12.2.2

Oracle PeopleSoft Products Executive Summary

This Critical Patch Update contains 17 new security fixes for Oracle PeopleSoft Products. 10 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle PeopleSoft Products Risk Matrix

CVE#

Component

Protocol

Sub- component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen-tication

Confiden-tiality

Integrity

Avail-ability

CVE-2013-5873

PeopleSoft Enterprise PeopleTools

HTTP

Integration Broker

Yes

5.0

Network

Low

None

Partial

None

None

8.52, 8.53

CVE-2014-0441

PeopleSoft Enterprise PeopleTools

HTTP

Integration Broker

Yes

5.0

Network

Low

None

None

None

Partial

8.52, 8.53

CVE-2014-0396

PeopleSoft Enterprise PeopleTools

HTTP

Portal - Web Services

Yes

5.0

Network

Low

None

Partial

None

None

8.52, 8.53

CVE-2014-0443

PeopleSoft Enterprise PeopleTools

HTTP

Security

Yes

5.0

Network

Low

None

None

Partial

None

8.52

CVE-2014-0394

PeopleSoft Enterprise PeopleTools

HTTP

Updates Environment Mgmt

Yes

5.0

Network

Low

None

Partial

None

None

8.52, 8.53

CVE-2014-0395

PeopleSoft Enterprise PeopleTools

HTTP

Updates Environment Mgmt

Yes

5.0

Network

Low

None

Partial

None

None

8.52, 8.53

CVE-2013-5909

PeopleSoft Enterprise HRMS

HTTP

Org and Workforce Dev

No

4.9

Network

Medium

Single

Partial

Partial

None

9.1, 9.2

CVE-2013-5886

PeopleSoft Enterprise HRMS

HTTP

Common Application Objects

Yes

4.3

Network

Medium

None

None

Partial

None

9.1, 9.2

CVE-2014-0380

PeopleSoft Enterprise PeopleTools

HTTP

MultiChannel Framework (MCF)

Yes

4.3

Network

Medium

None

None

Partial

None

8.52, 8.53

CVE-2014-0445

PeopleSoft Enterprise PeopleTools

HTTP

PIA Core Technology

Yes

4.3

Network

Medium

None

None

Partial

None

8.52, 8.53

CVE-2014-0392

PeopleSoft Enterprise HRMS

HTTP

Security

No

4.0

Network

Low

Single

Partial

None

None

9.1, 9.2

CVE-2014-0388

PeopleSoft Enterprise HRMS Human Resources

HTTP

Org and Workforce Dev

No

4.0

Network

Low

Single

Partial

None

None

9.1, 9.2

CVE-2014-0440

PeopleSoft Enterprise PeopleTools

HTTP

PIA Core Technology

No

4.0

Network

Low

Single

None

None

Partial

8.52, 8.53

CVE-2014-0439

PeopleSoft Enterprise PeopleTools

HTTP

Report Distribution

No

4.0

Network

Low

Single

None

Partial

None

8.52, 8.53

CVE-2014-0438

PeopleSoft Enterprise PeopleTools

None

Panel Processor

No

4.0

Network

Low

Single

Partial

None

None

8.52, 8.53

CVE-2014-0425

PeopleSoft Enterprise SCM Services Procurement

HTTP

Security

No

4.0

Network

Low

Single

Partial

None

None

9.2

CVE-2014-0381

PeopleSoft Enterprise PeopleTools

HTTP

PIA Core Technology

Yes

2.6

Network

High

None

None

Partial

None

8.52, 8.53

Oracle Siebel CRM Executive Summary

This Critical Patch Update contains 2 new security fixes for Oracle Siebel CRM. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Siebel CRM Risk Matrix

CVE#

Component

Protocol

Sub- component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen-tication

Confiden-tiality

Integrity

Avail-ability

CVE-2014-0369

Siebel Core - EAI

HTTP

Java Integration

Yes

5.0

Network

Low

None

Partial

None

None

8.1.1, 8.2.2

CVE-2014-0370

Siebel Life Sciences

HTTP

Clinical Trip Report

No

2.8

Network

Medium

Multiple

None

None

Partial

8.1.1, 8.2.2

Oracle iLearning Executive Summary

This Critical Patch Update contains 1 new security fix for Oracle iLearning. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle iLearning Risk Matrix

CVE#

Component

Protocol

Sub- component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen-tication

Confiden-tiality

Integrity

Avail-ability

CVE-2014-0389

Oracle iLearning

HTTP

Learner Pages

Yes

4.3

Network

Medium

None

None

Partial

None

6.0

Appendix - Oracle Financial Services Software****Oracle Financial Services Software Executive Summary

This Critical Patch Update contains 1 new security fix for Oracle Financial Services Software. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Financial Services Software Risk Matrix

CVE#

Component

Protocol

Sub- component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen-tication

Confiden-tiality

Integrity

Avail-ability

CVE-2013-4316

Oracle FLEXCUBE Private Banking

HTTP

Core

Yes

10.0

Network

Low

None

Complete

Complete

Complete

1.7, 2.0, 2.0.1, 2.2.0.1, 3.0, 12.0.1, 12.0.2

See Note 1

Notes:

1. The following CVEs are fixed as a result of upgrading to Struts 2.3.15.3: CVE-2013-4316 and CVE-2013-4310. The CVSS score is taken from http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4316.

Appendix - Oracle Java SE****Oracle Java SE Executive Summary

This Critical Patch Update contains 36 new security fixes for Oracle Java SE. 34 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

The CVSS scores below assume that a user running a Java applet or Java Web Start application has administrator privileges (typical on Windows). When the user does not run with administrator privileges (typical on Solaris and Linux), the corresponding CVSS impact scores for Confidentiality, Integrity, and Availability are “Partial” instead of "Complete", lowering the CVSS Base Score. For example, a Base Score of 10.0 becomes 7.5.

Users should only use the default Java Plug-in and Java Web Start from the latest JDK or JRE 7 release.

My Oracle Support Note 360870.1 explains the impact of Java security vulnerabilities on Oracle products that include an Oracle Java SE JDK or JRE.

Oracle Java SE Risk Matrix

CVE#

Component

Protocol

Sub- component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen-tication

Confiden-tiality

Integrity

Avail-ability

CVE-2014-0410

Java SE

Multiple

Deployment

Yes

10.0

Network

Low

None

Complete

Complete

Complete

Java SE 6u65, Java SE 7u45

See Note 1

CVE-2014-0415

Java SE

Multiple

Deployment

Yes

10.0

Network

Low

None

Complete

Complete

Complete

Java SE 6u65, Java SE 7u45

See Note 1

CVE-2013-5907

Java SE, JRockit, Java SE Embedded

Multiple

2D

Yes

10.0

Network

Low

None

Complete

Complete

Complete

Java SE 5.0u55, Java SE 6u65, Java SE 7u45, JRockit R27.7.7, JRockit R28.2.9, Java SE Embedded 7u45

See Note 2

CVE-2014-0428

Java SE, Java SE Embedded

Multiple

CORBA

Yes

10.0

Network

Low

None

Complete

Complete

Complete

Java SE 5.0u55, Java SE 6u65, Java SE 7u45, Java SE Embedded 7u45

See Note 1

CVE-2014-0422

Java SE, Java SE Embedded

Multiple

JNDI

Yes

10.0

Network

Low

None

Complete

Complete

Complete

Java SE 5.0u55, Java SE 6u65, Java SE 7u45, Java SE Embedded 7u45

See Note 1

CVE-2014-0385

Java SE

HTTP

Install

Yes

9.3

Network

Medium

None

Complete

Complete

Complete

Java SE 7u45 on OS X

See Note 3

CVE-2013-5889

Java SE

Multiple

Deployment

Yes

9.3

Network

Medium

None

Complete

Complete

Complete

Java SE 6u65, Java SE 7u45

See Note 1

CVE-2014-0408

Java SE

Multiple

Hotspot

Yes

9.3

Network

Medium

None

Complete

Complete

Complete

Java SE 7u45 on OS X

See Note 1

CVE-2013-5893

Java SE, Java SE Embedded

Multiple

Libraries

Yes

9.3

Network

Medium

None

Complete

Complete

Complete

Java SE 7u45, Java SE Embedded 7u45

See Note 1

CVE-2014-0417

Java SE, JavaFX, Java SE Embedded

Multiple

2D

Yes

9.3

Network

Medium

None

Complete

Complete

Complete

Java SE 5.0u55, Java SE 6u65, Java SE 7u45, JavaFX 2.2.45, Java SE Embedded 7u45

See Note 1

CVE-2014-0387

Java SE

Multiple

Deployment

Yes

7.6

Network

High

None

Complete

Complete

Complete

Java SE 6u65, Java SE 7u45 on Firefox

See Note 1

CVE-2014-0424

Java SE

Multiple

Deployment

Yes

7.5

Network

Low

None

Partial

Partial

Partial

Java SE 6u65, Java SE 7u45

See Note 1

CVE-2014-0373

Java SE

Multiple

Serviceability

Yes

7.5

Network

Low

None

Partial

Partial

Partial

Java SE 5.0u55, Java SE 6u65, Java SE 7u45

See Note 1

CVE-2013-5878

Java SE, Java SE Embedded

Multiple

Security

Yes

7.5

Network

Low

None

Partial

Partial

Partial

Java SE 6u65, Java SE 7u45, Java SE Embedded 7u45

See Note 1

CVE-2013-5904

Java SE

Multiple

Deployment

Yes

6.8

Network

Medium

None

Partial

Partial

Partial

Java SE 7u45

See Note 1

CVE-2013-5870

Java SE, JavaFX

Multiple

JavaFX

Yes

6.8

Network

Medium

None

Partial

Partial

Partial

Java SE 7u45, JavaFX 2.2.45

See Note 1

CVE-2014-0403

Java SE

Multiple

Deployment

Yes

5.8

Network

Medium

None

Partial

Partial

None

Java SE 6u65, Java SE 7u45

See Note 1

CVE-2014-0375

Java SE

Multiple

Deployment

Yes

5.8

Network

Medium

None

Partial

Partial

None

Java SE 6u65, Java SE 7u45

See Note 1

CVE-2014-0423

Java SE, JRockit, Java SE Embedded

Multiple

Beans

No

5.5

Network

Low

Single

Partial

None

Partial

Java SE 5.0u55, Java SE 6u65, Java SE 7u45, JRockit R27.7.7, JRockit R28.2.9, Java SE Embedded 7u45

See Note 2

CVE-2013-5905

Java SE

HTTP

Install

Yes

5.1

Network

High

None

Partial

Partial

Partial

Java SE 5.0u55, Java SE 6u65, Java SE 7u45

See Note 3

CVE-2013-5906

Java SE

HTTP

Install

Yes

5.1

Network

High

None

Partial

Partial

Partial

Java SE 5.0u55, Java SE 6u65, Java SE 7u45

See Note 3

CVE-2013-5902

Java SE

Multiple

Deployment

Yes

5.1

Network

High

None

Partial

Partial

Partial

Java SE 6u65, Java SE 7u45

See Note 1

CVE-2014-0418

Java SE

Multiple

Deployment

Yes

5.1

Network

High

None

Partial

Partial

Partial

Java SE 6u65, Java SE 7u45

See Note 1

CVE-2013-5887

Java SE

HTTP

Deployment

Yes

5.0

Network

Low

None

None

None

Partial

Java SE 6u65, Java SE 7u45

See Note 1

CVE-2013-5899

Java SE

Multiple

Deployment

Yes

5.0

Network

Low

None

Partial

None

None

Java SE 6u65, Java SE 7u45

See Note 1

CVE-2013-5896

Java SE, Java SE Embedded

Multiple

CORBA

Yes

5.0

Network

Low

None

None

None

Partial

Java SE 5.0u55, Java SE 6u65, Java SE 7u45, Java SE Embedded 7u45

See Note 1

CVE-2013-5884

Java SE, Java SE Embedded

Multiple

CORBA

Yes

5.0

Network

Low

None

Partial

None

None

Java SE 5.0u55, Java SE 6u65, Java SE 7u45, Java SE Embedded 7u45

See Note 1

CVE-2014-0416

Java SE, Java SE Embedded

Multiple

JAAS

Yes

5.0

Network

Low

None

None

Partial

None

Java SE 5.0u55, Java SE 6u65, Java SE 7u45, Java SE Embedded 7u45

See Note 1

CVE-2014-0376

Java SE, Java SE Embedded

Multiple

JAXP

Yes

5.0

Network

Low

None

None

Partial

None

Java SE 5.0u55, Java SE 6u65, Java SE 7u45, Java SE Embedded 7u45

See Note 1

CVE-2014-0368

Java SE, Java SE Embedded

Multiple

Networking

Yes

5.0

Network

Low

None

Partial

None

None

Java SE 5.0u55, Java SE 6u65, Java SE 7u45, Java SE Embedded 7u45

See Note 1

CVE-2013-5910

Java SE, Java SE Embedded

Multiple

Security

Yes

5.0

Network

Low

None

None

Partial

None

Java SE 6u65, Java SE 7u45, Java SE Embedded 7u45

See Note 1

CVE-2013-5895

Java SE, JavaFX

Multiple

JavaFX

Yes

5.0

Network

Low

None

Partial

None

None

Java SE 7u45, JavaFX 2.2.45

See Note 1

CVE-2013-5888

Java SE

Multiple

Deployment

No

4.6

Local

Low

None

Partial

Partial

Partial

Java SE 6u65, Java SE 7u45

See Note 4

CVE-2014-0382

Java SE, JavaFX

Multiple

JavaFX

Yes

4.3

Network

Medium

None

None

None

Partial

Java SE 7u45, JavaFX 2.2.45

See Note 1

CVE-2013-5898

Java SE

HTTP

Deployment

Yes

4.0

Network

High

None

Partial

Partial

None

Java SE 6u65, Java SE 7u45

See Note 1

CVE-2014-0411

Java SE, JRockit, Java SE Embedded

SSL/TLS

JSSE

Yes

4.0

Network

High

None

Partial

Partial

None

Java SE 5.0u55, Java SE 6u65, Java SE 7u45, JRockit R27.7.7, JRockit R28.2.9, Java SE Embedded 7u45

See Note 5

Notes:

1. Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets.
2. Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.
3. Applies to installation process on client deployment of Java.
4. Applies to client deployment of Java under GNOME environment on Linux and Solaris.
5. Applies to client and server deployment of JSSE.

Appendix - Oracle and Sun Systems Products Suite****Oracle and Sun Systems Products Suite Executive Summary

This Critical Patch Update contains 11 new security fixes for the Oracle and Sun Systems Products Suite. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle and Sun Systems Products Suite Risk Matrix

CVE#

Component

Protocol

Sub- component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen-tication

Confiden-tiality

Integrity

Avail-ability

CVE-2003-1067

Solaris

None

Localization (L10N)

No

7.2

Local

Low

None

Complete

Complete

Complete

8, 9

See Note 1

CVE-2013-5834

Solaris

None

“ps” command line utility

No

6.2

Local

High

None

Complete

Complete

Complete

8

CVE-2013-5833

Solaris

None

Filesystem

No

4.9

Local

Low

None

None

None

Complete

8, 9

CVE-2013-5876

Solaris

None

Kernel

No

4.9

Local

Low

None

None

None

Complete

10, 11.1

CVE-2013-5821

Solaris

None

Remote Procedure Call (RPC)

No

4.6

Local

Low

None

Partial

Partial

Partial

8, 9, 10, 11.1

CVE-2014-0390

Solaris

HTTP

Java Web Console

Yes

4.3

Network

Medium

None

None

Partial

None

10

CVE-2013-5883

Solaris

None

Kernel

No

3.2

Local

Low

Single

None

Partial

Partial

8

See Note 1

CVE-2013-5875

Solaris

None

Role Based Access Control (RBAC)

No

2.7

Local

Medium

Multiple

None

Partial

Partial

11.1

CVE-2013-5872

Solaris

None

Name Service Cache Daemon (NSCD)

No

2.1

Local

Low

None

None

None

Partial+

10, 11.1

CVE-2013-2924

Solaris

None

Localization (L10N)

No

1.9

Local

Medium

None

None

None

Partial

11.1

CVE-2013-5885

Solaris

None

Audit

No

1.7

Local

Low

Single

None

Partial

None

11.1

Notes:

1. Applies only when Solaris is running on SPARC platform.

Appendix - Oracle Linux and Virtualization****Oracle Virtualization Executive Summary

This Critical Patch Update contains 9 new security fixes for Oracle Virtualization. 4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Virtualization Risk Matrix

CVE#

Component

Protocol

Sub- component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen-tication

Confiden-tiality

Integrity

Avail-ability

CVE-2013-2067

Oracle Secure Global Desktop (SGD)

HTTP

Apache Tomcat

Yes

6.8

Network

Medium

None

Partial

Partial

Partial

SGD prior to SGD 4.63 with December 2013 PSU , 4.71

CVE-2014-0419

Oracle Secure Global Desktop (SGD)

HTTP

Administration Console and Workspace Web Applications

Yes

5.1

Network

High

None

Partial

Partial

Partial

SGD prior to 4.63 with December 2013 PSU , 4.71, 5.0 with December 2013 PSU, 5.10

CVE-2012-3544

Oracle Secure Global Desktop (SGD)

HTTP

Apache Tomcat

Yes

5.0

Network

Low

None

None

None

Partial

SGD prior to 4.63 with December 2013 PSU, 4.71

CVE-2013-5892

Oracle VM VirtualBox

None

Core

No

3.5

Local

High

Single

Partial+

Partial+

Partial+

VirtualBox prior to 3.2.20, 4.0.22, 4.1.30, 4.2.22, 4.3.6

CVE-2014-0407

Oracle VM VirtualBox

None

Core

No

3.5

Local

High

Single

Partial+

Partial+

Partial+

VirtualBox prior to 3.2.20, 4.0.22, 4.1.30, 4.2.20, 4.3.4

CVE-2014-0405

Oracle VM VirtualBox

None

Core

No

3.5

Local

High

Single

Partial

Partial

Partial

VirtualBox prior to 3.2.20, 4.0.22, 4.1.30, 4.2.20, 4.3.4

See Note 1

CVE-2013-2071

Oracle Secure Global Desktop (SGD)

HTTP

Apache Tomcat

Yes

2.6

Network

High

None

Partial

None

None

SGD prior to 4.71 with December 2013 PSU, 5.0 with December 2013 PSU

See Note 2

CVE-2014-0406

Oracle VM VirtualBox

None

Core

No

2.4

Local

High

Single

None

Partial+

Partial

VirtualBox prior to 3.2.20, 4.0.22, 4.1.30, 4.2.20, 4.3.4

CVE-2014-0404

Oracle VM VirtualBox

None

Core

No

2.4

Local

High

Single

None

Partial

Partial+

VirtualBox prior to 3.2.20, 4.0.22, 4.1.30, 4.2.20, 4.3.4

Notes:

1. Applies only when a Windows guest with VirtualBox Additions installed is running on VirtualBox.
2. SGD releases prior to SGD 4.7 are not affected by CVE-2013-2071 as they do not ship with Apache Tomcat 7.x, which is the only affected release of Tomcat.

Appendix - Oracle MySQL****Oracle MySQL Executive Summary

This Critical Patch Update contains 18 new security fixes for Oracle MySQL. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle MySQL Risk Matrix

CVE#

Component

Protocol

Sub- component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen-tication

Confiden-tiality

Integrity

Avail-ability

CVE-2013-4316

MySQL Enterprise Monitor

HTTP

Service Manager

Yes

10.0

Network

Low

None

Complete

Complete

Complete

3.0.4 and earlier, 2.3.14 and earlier

See Note 1

CVE-2013-5860

MySQL Server

MySQL Protocol

GIS

No

6.8

Network

Low

Single

None

None

Complete

5.6.14 and earlier

CVE-2013-5882

MySQL Server

MySQL Protocol

Stored Procedure

No

6.8

Network

Low

Single

None

None

Complete

5.6.13 and earlier

CVE-2014-0433

MySQL Server

MySQL Protocol

Thread Pooling

Yes

4.3

Network

Medium

None

None

None

Partial

5.6.13 and earlier

CVE-2013-5894

MySQL Server

MySQL Protocol

InnoDB

No

4.0

Network

Low

Single

None

None

Partial+

5.6.13 and earlier

CVE-2013-5881

MySQL Server

MySQL Protocol

InnoDB

No

4.0

Network

Low

Single

None

None

Partial+

5.6.14 and earlier

CVE-2014-0412

MySQL Server

MySQL Protocol

InnoDB

No

4.0

Network

Low

Single

None

None

Partial+

5.1.72 and earlier, 5.5.34 and earlier, 5.6.14 and earlier

CVE-2014-0402

MySQL Server

MySQL Protocol

Locking

No

4.0

Network

Low

Single

None

None

Partial+

5.1.71 and earlier, 5.5.33 and earlier, 5.6.13 and earlier

CVE-2014-0386

MySQL Server

MySQL Protocol

Optimizer

No

4.0

Network

Low

Single

None

None

Partial+

5.1.71 and earlier, 5.5.33 and earlier, 5.6.13 and earlier

CVE-2013-5891

MySQL Server

MySQL Protocol

Partition

No

4.0

Network

Low

Single

None

None

Partial+

5.5.33 and earlier, 5.6.13 and earlier

CVE-2014-0401

MySQL Server

MySQL Protocol

Privileges

No

4.0

Network

Low

Single

None

None

Partial+

5.1.72 and earlier, 5.5.34 and earlier, 5.6.14 and earlier

CVE-2014-0427

MySQL Server

MySQL Protocol

FTS

No

3.5

Network

Medium

Single

None

None

Partial+

5.6.13 and earlier

CVE-2014-0431

MySQL Server

MySQL Protocol

InnoDB

No

3.5

Network

Medium

Single

None

None

Partial+

5.6.14 and earlier

CVE-2014-0437

MySQL Server

MySQL Protocol

Optimizer

No

3.5

Network

Medium

Single

None

None

Partial+

5.1.72 and earlier, 5.5.34 and earlier, 5.6.14 and earlier

CVE-2014-0393

MySQL Server

MySQL Protocol

InnoDB

No

3.3

Network

Low

Multiple

None

Partial

None

5.1.71 and earlier, 5.5.33 and earlier, 5.6.13 and earlier

CVE-2014-0430

MySQL Server

MySQL Protocol

Performance Schema

No

2.8

Network

Medium

Multiple

None

None

Partial+

5.6.13 and earlier

CVE-2014-0420

MySQL Server

MySQL Protocol

Replication

No

2.8

Network

Medium

Multiple

None

None

Partial+

5.5.34 and earlier, 5.6.14 and earlier

CVE-2013-5908

MySQL Server

MySQL Protocol

Error Handling

Yes

2.6

Network

High

None

None

None

Partial+

5.1.72 and earlier, 5.5.34 and earlier, 5.6.14 and earlier

Notes:

1. The following CVEs are fixed as a result of upgrading to Struts 2.3.15.3: CVE-2013-4316 and CVE-2013-4310. The CVSS score is taken from http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4316. The CVSS score is 10.0 if MySQL Enterprise Monitor runs with admin or root privileges. The score would be 7.5 if MySQL Enterprise Monitor runs with non-admin privileges and the impact on Confidentiality, Integrity and Availability would be Partial+.

Why Oracle

• Analyst Reports
• Gartner MQ for Cloud ERP
• Cloud Economics
• Corporate Responsibility
• Diversity and Inclusion
• Security Practices

Learn

• What is cloud computing?
• What is CRM?
• What is Docker?
• What is Kubernetes?
• What is Python?
• What is SaaS?

What’s New

• News

• Oracle CloudWorld

• Oracle Supports Ukraine

• Oracle Red Bull Racing

• Oracle Sustainability

• Employee Experience Platform

• © 2022 Oracle

• Site Map

• Privacy/Do Not Sell My Info

• Ad Choices

• Careers

• Facebook

• Twitter

• LinkedIn

• YouTube