CVE-2015-4734: Oracle Critical Patch Update Advisory - October 2015

• Click to view our Accessibility Policy

• Skip to content

• Security Alerts

Oracle Critical Patch Update Advisory - October 2015****Description

A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to: Critical Patch Updates and Security Alerts for information about Oracle Security Advisories.

Oracle continues to periodically receive reports of malicious exploitation of vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that malicious attackers have been successful because customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay.

This Critical Patch Update contains 270 new security fixes across the product families listed below. Please note that a blog entry summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at https://blogs.oracle.com/security.

This Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle’s use of CVRF is available at: http://www.oracle.com/security-alerts/cpufaq.html#CVRF.

Affected Products and Components

Security vulnerabilities addressed by this Critical Patch Update affect the products listed in the categories below. The product area of the patches for the listed versions is shown in the Patch Availability column corresponding to the specified Products and Versions column. Please click on the link in the Patch Availability column below or in the Patch Availability Table to access the documentation for those patches.

The list of affected product releases and versions that are in Premier Support or Extended Support, under the Oracle Lifetime Support Policy is as follows:

Affected Products and Versions

Patch Availability

Oracle Database Server, version(s) 11.2.0.4, 12.1.0.1, 12.1.0.2

Database

Mobile Server, version(s) 10.3.0.3, 11.3.0.2, 12.1.0.0

Mobile/Lite Server

Oracle Access Manager, version(s) 11.1.2.2, 11.1.2.3

Fusion Middleware

Oracle Business Intelligence Enterprise Edition, version(s) 11.1.1.7, 11.1.1.9

Fusion Middleware

Oracle Endeca Server, version(s) 7.3.0.0, 7.4.0.0, 7.5.1.1, 7.6.1.0.0

Fusion Middleware

Oracle Enterprise Data Quality, version(s) 8.1, 9.0, 11.1.1.7.4, 12.1.3.0.0

Fusion Middleware

Oracle Exalogic Infrastructure, version(s) EECS 2.0.6.2.3

Fusion Middleware

Oracle Fusion Middleware, version(s) 10.1.3.5, 11.1.1.7, 11.1.1.8, 11.1.1.9, 11.1.2.1, 11.1.2.2, 11.1.2.3, 12.1.2.0, 12.1.3.0

Fusion Middleware

Oracle GlassFish Server, version(s) 3.0.1, 3.1.2

Fusion Middleware

Oracle HTTP Server, version(s) 10.1.3.5, 11.1.1.7, 11.1.1.9, 12.1.2.0, 12.1.3.0

Fusion Middleware

Oracle Identity Manager, version(s) 11.1.1.7, 11.1.2.2, 11.1.2.3

Fusion Middleware

Oracle JDeveloper, version(s) 11.1.2.4.0, 12.1.2.0.0, 12.1.3.0.0

Fusion Middleware

Oracle Mobile Security Suite, version(s) MSS 3.0

Fusion Middleware

Oracle Outside In Technology, version(s) 8.5.0, 8.5.1, 8.5.2

Fusion Middleware

Oracle Traffic Director, version(s) 11.1.1.7.0, 11.1.1.9.0

Fusion Middleware

Oracle WebCenter Content, version(s) 10.1.3.5.1

Fusion Middleware

Oracle WebCenter Sites, version(s) 7.6.2, 11.1.1.6.1, 11.1.1.8.0

Fusion Middleware

Hyperion Installation Technology, version(s) 11.1.2.3

Fusion Middleware

Enterprise Manager Base Platform, version(s) 12.1.0.4, 12.1.0.5

Enterprise Manager

Enterprise Manager Ops Center, version(s) 12.1.0.1, 12.2.2

Enterprise Manager

OSS Support Tools, version(s) prior to 8.8.15.7.15

Enterprise Manager

Oracle E-Business Suite, version(s) 11.5.10.2, 12.0.6, 12.1.3, 12.2.3, 12.2.4

E-Business Suite

Oracle Agile Engineering Data Management, version(s) 6.1.2.2, 6.1.3.0, 6.2.0.0

Oracle Supply Chain Products

Oracle Agile PLM, version(s) 9.3.3, 9.3.4

Oracle Supply Chain Products

Oracle Configurator, version(s) 12.0.6, 12.1.3, 12.2.3, 12.2.4

Oracle Supply Chain Products

Oracle Transportation Management, version(s) 6.1, 6.2

Oracle Supply Chain Products

PeopleSoft Enterprise FIN Expenses, version(s) 9.2

PeopleSoft

PeopleSoft Enterprise FSCM, version(s) 9.2

PeopleSoft

PeopleSoft Enterprise HCM, version(s) 9.2

PeopleSoft

PeopleSoft Enterprise HCM Talent Acquistion Managment, version(s) 9.2

PeopleSoft

PeopleSoft Enterprise PeopleTools, version(s) 8.53, 8.54

PeopleSoft

Siebel Applications, version(s) IP2014, IP2015

Siebel

Oracle Fusion Applications, version(s) 11.1.2 through 11.1.9

Fusion Applications

Oracle Utilities Work and Asset Management, version(s) 1.9.1.1.2

Industry Applications

Oracle Communications Convergence, version(s) 2.0, 3.0.1

Communications

Oracle Communications Diameter Signaling Router (DSR), version(s) 4.1.6 and prior, 5.1.0 and prior, 6.0.2 and prior, 7.1.0 and prior

Communications

Oracle Communications LSMS, version(s) 13.1

Communications

Oracle Communications Messaging Server, version(s) 7.0.5, 8.0

Communications

Oracle Communications Performance Intelligence Center Software, version(s) 9.0.3 and prior, 10.1.5 and prior

Communications

Oracle Communications Policy Management, version(s) 9.9.0 and prior, 10.5.0 and prior, 11.5.0 and prior, 12.1.0 and prior

Communications

Oracle Communications Tekelec HLR Router, version(s) 4.0.0

Communications

Oracle Retail Back Office, version(s) 12.0, 12.0IN, 13.0, 13.1, 13.2, 13.3, 13.4, 14.0., RM2.0

Retail

Oracle Retail Central Office, version(s) 12.0, 12.0IN, 13.0, 13.1, 13.2, 13.3, 13.4, 14.0., RM2.0

Retail

Oracle Retail Open Commerce Platform, version(s) 3.0

Retail

Oracle Retail Returns Management:, version(s) 12.0, 12.0IN, 13.0, 13.1, 13.2, 13.3, 13.4, 14.0., RM2.0

Retail

Oracle Java SE, version(s) 6u101, 7u85, 8u60

Oracle Java SE

Oracle Java SE Embedded, version(s) 8u51

Oracle Java SE

Oracle JavaFX, version(s) 2.2.85

Oracle Java SE

Oracle JRockit, version(s) R28.3.7

ROracle Java SE

Fujitsu M10-1, M10-4, M10-4S Servers, version(s) prior to XCP 2271

Oracle and Sun Systems Products Suite

Integrated Lights Out Manager (ILOM), version(s) 3.0, 3.1, 3.2

Oracle and Sun Systems Products Suite

Solaris, version(s) 10, 11.2

Oracle and Sun Systems Products Suite

Oracle FS1-2 Flash Storage System, version(s) 6.1, 6.2, 6.3

Pillar Axiom

Oracle VM VirtualBox, version(s) prior to 4.0.34, prior to 4.1.42, prior to 4.2.34, prior to 4.3.32, prior to 5.0.8

Oracle Linux and Virtualization

MySQL Enterprise Monitor, version(s) 2.3.20 and prior, 3.0.22 and prior

Oracle MySQL Product Suite

MySQL Server, version(s) 5.5.45 and prior, 5.6.26 and prior

Oracle MySQL Product Suite

Patch Availability Table and Risk Matrices****Patch Availability Table

For each administered Oracle product, consult the documentation for patch availability information and installation instructions referenced from the following table. For an overview of the Oracle product documentation related to this Critical Patch Update, please refer to the Oracle Critical Patch Update October 2015 Documentation Map, My Oracle Support Note 2031790.1.

Product Group

Risk Matrix

Patch Availability and Installation Information

Oracle Database

Oracle Database Risk Matrix

Patch Set Update and Critical Patch Update October 2015 Availability Document, My Oracle Support Note 2037108.1

Oracle Fusion Middleware

Oracle Fusion Middleware Risk Matrix

Patch Set Update and Critical Patch Update October 2015 Availability Document, My Oracle Support Note 2037108.1

Oracle Fusion Applications

Oracle Database Risk Matrix and Oracle Fusion Middleware Risk Matrix

Vulnerabilities affecting Oracle Database and Oracle Fusion Middleware may affect Oracle Fusion Applications, so Oracle customers should refer to Oracle Fusion Applications Critical Patch Update Knowledge Document (October 2015) My Oracle Support Note 2067867.1 for information on patches to be applied to Fusion Application environments.

Oracle Enterprise Manager

Oracle Enterprise Manage Risk Matrix

Patch Set Update and Critical Patch Update October 2015 Availability Document, My Oracle Support Note 2037108.1

Oracle Applications - E-Business Suite

Oracle E-Business Suite Risk Matrix

Patch Set Update and Critical Patch Update October 2015 Availability Document, My Oracle Support Note 2051000.1

Oracle Applications - Oracle Supply Chain, PeopleSoft Enterprise and Siebel

Oracle Supply Chain Risk Matrix Oracle PeopleSoft Enterprise Risk Matrix Oracle Siebel Risk Matrix

Critical Patch Update Knowledge Document for Oracle Supply Chain, PeopleSoft Enterprise and Siebel Product Suite, My Oracle Support Note 2066864.1

Oracle Utilities Applications Suite

Oracle Utilities Applications Risk Matrix

Critical Patch Update October 2015 Availability Document, My Oracle Support Note 2063167.1

Oracle Communications Applications Suite

Oracle Communications Applications Risk Matrix

Critical Patch Update October 2015 Availability Document, My Oracle Support Note 2066863.1

Oracle Retail Applications Suite

Oracle Retail Applications Risk Matrix

PCritical Patch Update October 2015 Availability Document, My Oracle Support Note 2067325.1

Oracle Java SE

Oracle Java SE Risk Matrix

• Critical Patch Update October 2015 Patch Availability Document for Java SE, My Oracle Support Note 2049800.1
• Users running Java SE with a browser can download the latest release from http://java.com. Users on the Windows and Mac OS X platforms can also use automatic updates to get the latest release.
• The latest JavaFX release is included with the latest update of JDK and JRE 7 and 8.

Oracle and Sun Systems Products Suite

Oracle and Sun Systems Products Suite Risk Matrix

Critical Patch Update October 2015 Patch Delivery Document for Oracle and Sun Systems Product Suite, My Oracle Support Note 2060027.1

Oracle Pillar Axiom

Oracle Pillar Axiom Risk Matrix

Critical Patch Update October 2015 Patch Delivery Document for Oracle Pillar Axiom, My Oracle Support Note 2060214.1

Oracle Linux and Virtualization Products

Oracle Linux and Virtualization Products Risk Matrix

Critical Patch Update October 2015 Patch Delivery Document for Oracle Linux and Virtualization Products, My Oracle Support Note 2060225.1

Oracle MySQL

Oracle MySQL Risk Matrix

Critical Patch Update October 2015 Patch Availability Document for Oracle MySQL Products, My Oracle Support Note 2048227.1

Risk Matrix Content

Risk matrices list only security vulnerabilities that are newly fixed by the patches associated with this advisory. Risk matrices for previous security fixes can be found in previous Critical Patch Update advisories. An English text version of the risk matrices provided in this document is available here.

Several vulnerabilities addressed in this Critical Patch Update affect multiple products. Each vulnerability is identified by a CVE# which is a unique identifier for a vulnerability. A vulnerability that affects multiple products will appear with the same CVE# in all risk matrices. A CVE# shown in italics indicates that this vulnerability impacts a different product, but also has impact on the product where the italicized CVE# is listed.

Security vulnerabilities are scored using CVSS version 2.0 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS 2.0). Oracle conducts an analysis of each security vulnerability addressed by a Critical Patch Update (CPU). Oracle does not disclose information about the security analysis, but the resulting Risk Matrix and associated documentation provide information about the type of vulnerability, the conditions required to exploit it, and the potential impact of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage. For more information, see Oracle vulnerability disclosure policies .

The protocol in the risk matrix implies that all of its secure variants (if applicable) are affected as well. For example, if HTTP is listed as an affected protocol, it implies that HTTPS (if applicable) is also affected. The secure variant of a protocol is listed in the risk matrix only if it is the only variant affected, e.g. HTTPS will typically be listed for vulnerabilities in SSL and TLS.

Workarounds

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. Until you apply the CPU fixes, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem.

Skipped Critical Patch Updates

Oracle strongly recommends that customers apply security fixes as soon as possible. For customers that have skipped one or more Critical Patch Updates and are concerned about products that do not have security fixes announced in this CPU, please review previous Critical Patch Update advisories to determine appropriate actions.

Product Dependencies

Oracle products may have dependencies on other Oracle products. Hence security vulnerability fixes announced in this Critical Patch Update may affect one or more dependent Oracle products. For details regarding these dependencies and how to apply patches to dependent products, please refer to Patch Set Update and Critical Patch Update October 2015 Availability Document, My Oracle Support Note 2037108.1.

Critical Patch Update Supported Products and Versions

Patches released through the Critical Patch Update program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. We recommend that customers plan product upgrades to ensure that patches released through the Critical Patch Update program are available for the versions they are currently running.

Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Critical Patch Update. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.

Supported Database, Fusion Middleware, Oracle Enterprise Manager Base Platform (formerly “Oracle Enterprise Manager Grid Control”) and Collaboration Suite products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.

Products in Extended Support

Patches released through the Critical Patch Update program are available to customers who have Extended Support under the Lifetime Support Policy. Customers must have a valid Extended Support service contract to download patches released through the Critical Patch Update program for products in the Extended Support Phase.

Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Critical Patch Update to Oracle: Aaron Portnoy of Exodus Intelligence; Adam Gowdiak of Security Explorations; Adam Willard of Foreground Security; Advanced Threat Research Team, Intel Security; Aleksandr Dubinsky of SyncWords; Alexey Tyurin of ERPScan; Andrea Palazzo of Truel IT; Behzad Najjarpour Jabbari of Secunia Research; Borked of the Google Security Team; Brooks Li of Trend Micro; Cihan Öncü of Biznet Bilisim A.S.; Colm O hEigeartaigh; Dan Peled; David Litchfield of Google; Egor Karbutov of ERPScan; Erlend Oftedal; FortiGuard Labs of Fortinet, Inc.; Francis Provencher from COSIG; Francois Goichon of Context Information Security; G. Geshev from MWR Labs; Gregory Golds; Guido Vranken; Ivan Chalykin of ERPScan; Jacob Smith; Jakub Palaczynski from ING Services Polska; Jeff Kayser of Jibe Consulting; Kana Toko; Khai Tran of Netspi; Leopold von Niebelschuetz-Godlewski of Trustwave; Marcin Gebarowski; Martin Rakhmanov of Trustwave; Nikita Kelesis of ERPScan; Osanda Malith Jayathissa; Oscar Andersson; Red Hat Product Security; Sergey Gorbaty of Salesforce.com; Travis Emmert of Salesforce.com; and Ugur Cihan Koc - Avea Iletisim Hizmetleri A.S.

Security-In-Depth Contributors

Oracle provides recognition to people that have contributed to our Security-In-Depth program (see FAQ). People are recognized for Security-In-Depth contributions if they provide information, observations or suggestions pertaining to security vulnerability issues that result in significant modification of Oracle code or documentation in future releases, but are not of such a critical nature that they are distributed in Critical Patch Updates.

In this Critical Patch Update Advisory, Oracle recognizes Greg Rubin of Amazon Web Services IT Security; Karthikeyan Bhargavan; and Steven Seeley of HP’s Zero Day Initiative for contributions to Oracle’s Security-In-Depth program.

On-Line Presence Security Contributors

Oracle provides recognition to people that have contributed to our On-Line Presence Security program (see FAQ). People are recognized for contributions relating to Oracle’s on-line presence if they provide information, observations or suggestions pertaining to security-related issues that result in significant modification to Oracle’s on-line external-facing systems.

For this quarter, Oracle recognizes Adam Willard of Foreground Security; Jerold Camacho; Jon Lamendola of ^Lift Security; Mehmet Nurcan; Nicolas Francois; Pratyush Anjan Sarangi; Roberto Zanga; Rodolfo Godalle Jr.; Treasure Priyamal; and Weijun Lin of Future-Sec for contributions to Oracle’s On-Line Presence Security program.

Critical Patch Update Schedule

Critical Patch Updates are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

• 19 January 2016
• 19 April 2016
• 19 July 2016
• 18 October 2016

References

• Oracle Critical Patch Updates and Security Alerts main page [ Oracle Technology Network ]
• Critical Patch Update - October 2015 Documentation Map [ My Oracle Support Note 2031790.1 ]
• Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions [ CPU FAQ ]
• Risk Matrix definitions [ Risk Matrix Definitions ]
• Use of Common Vulnerability Scoring System (CVSS) by Oracle [ Oracle CVSS Scoring ]
• English text version of the risk matrices [ Oracle Technology Network ]
• CVRF XML version of the risk matrices [ Oracle Technology Network ]
• The Oracle Software Security Assurance Blog [ The Oracle Software Security Assurance Blog ]
• List of public vulnerabilities fixed in Critical Patch Updates and Security Alerts [ Oracle Technology Network ]
• Software Error Correction Support Policy [ My Oracle Support Note 209768.1 ]

Modification History

Date

Note

2016-September-29

Rev 7. Removed Oracle Communications User Data Repository from the set of products affected by CVE-2015-2608

2015-October-27

Rev 6. Modified CVSS score for CVE-2015-4798 and CVE-2015-4839

2015-October-23

Rev 5. Modified CVSS score for CVE-2015-4873

2015-October-22

Rev 4. Modified Credit Statement

2015-October-21

Rev 3. Modified affected version for CVE-2015-4841

2015-October-21

Rev 2. Modified CVSS score for CVE-2015-4896

2015-October-20

Rev 1. Initial Release

Appendix - Oracle Database Server****Oracle Database Server Executive Summary

This Critical Patch Update contains 8 new security fixes for the Oracle Database Server divided as follows:

• 7 new security fixes for the Oracle Database Server. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. None of these fixes are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here .
• 1 new security fix for the Oracle Database Mobile/Lite Server. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Database Server Risk Matrix

CVE#

Component

Protocol

Package and/or Privilege Required

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen-tication

Confiden-tiality

Integrity

Avail-ability

CVE-2015-4863

Portable Clusterware

Oracle Net

None

Yes

10.0

Network

Low

None

Complete

Complete

Complete

11.2.0.4, 12.1.0.1, 12.1.0.2

CVE-2015-4794

Java VM

Multiple

Create Session

No

9.0

Network

Low

Single

Complete

Complete

Complete

11.2.0.4, 12.1.0.1, 12.1.0.2

See Note 1

CVE-2015-4796

Java VM

Oracle Net

Create Session

No

9.0

Network

Low

Single

Complete

Complete

Complete

11.2.0.4, 12.1.0.1, 12.1.0.2

See Note 2

CVE-2015-4873

Database Scheduler

None

None

No

7.2

Local

Low

None

Complete

Complete

Complete

11.2.0.4, 12.1.0.1, 12.1.0.2

CVE-2015-4888

Java VM

Oracle Net

Create Session

No

6.5

Network

Low

Single

Partial

Partial

Partial

11.2.0.4, 12.1.0.1, 12.1.0.2

See Note 2

CVE-2015-4900

XDB - XML Database

Oracle Net

Create Session, Create Procedure, Create Table, Create Public Synonym

No

6.5

Network

Low

Single

Partial+

Partial+

Partial+

11.2.0.4, 12.1.0.1, 12.1.0.2

CVE-2015-4857

RDBMS

Oracle Net

Create Session

No

5.5

Network

Low

Single

Partial+

Partial+

None

12.1.0.1, 12.1.0.2

Notes:

1. The CVSS score is 9.0 only on Windows for Database versions prior to 12c. The CVSS is 6.5 (Confidentiality, Integrity and Availability is “Partial+”) for Database 12c on Windows and for all versions of Database on Linux, Unix and other platforms.
2. This issue impacts the Windows platform only.

Oracle Database Mobile/Lite Server Executive Summary

This Critical Patch Update contains 1 new security fix for the Oracle Database Mobile/Lite Server. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Database Mobile/Lite Server Risk Matrix

CVE#

Component

Protocol

Package and/or Privilege Required

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen-tication

Confiden-tiality

Integrity

Avail-ability

CVE-2015-4894

Mobile Server

Oracle Net

Create Session, Create Table, Index

No

4.9

Network

Medium

Single

None

Partial+

Partial

10.3.0.3, 11.3.0.2, 12.1.0.0

Appendix - Oracle Fusion Middleware****Oracle Fusion Middleware Executive Summary

This Critical Patch Update contains 23 new security fixes for Oracle Fusion Middleware. 16 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security fixes are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle recommends that customers apply the October 2015 Critical Patch Update to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update October 2015 Patch Availability Document for Oracle Products, My Oracle Support Note 2037108.1.

Oracle Fusion Middleware Risk Matrix

CVE#

Component

Protocol

Sub- component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen-tication

Confiden-tiality

Integrity

Avail-ability

CVE-2014-3576

Oracle Enterprise Data Quality

HTTP

Installation

Yes

7.5

Network

Low

None

Partial

Partial

Partial

8.1, 9.0, 11.1.1.7.4, 12.1.3.0.0

See Note 1

CVE-2014-1569

Oracle Traffic Director

HTTPS

Security

Yes

7.5

Network

Low

None

Partial

Partial

Partial

11.1.1.7.0, 11.1.1.9.0

CVE-2015-1791

Oracle Exalogic Infrastructure

HTTPS

Network Infra Framework

Yes

6.8

Network

Medium

None

Partial

Partial

Partial

EECS 2.0.6.2.3

See Note 2

CVE-2015-0286

Oracle Business Intelligence Enterprise Edition

HTTPS

BI Platform Security

Yes

5.0

Network

Low

None

None

None

Partial

11.1.1.7, 11.1.1.9

See Note 3

CVE-2015-0286

Oracle Endeca Server

HTTPS

Data Enrichment

Yes

5.0

Network

Low

None

None

None

Partial

7.3.0.0, 7.4.0.0, 7.5.1.1, 7.6.1.0.0

See Note 3

CVE-2015-1829

Oracle HTTP Server

HTTP

Web Listener

Yes

5.0

Network

Low

None

None

None

Partial

10.1.3.5, 11.1.1.7, 11.1.1.9, 12.1.2.0, 12.1.3.0

See Note 4

CVE-2015-4909

Oracle JDeveloper

HTTP

ADF Faces

Yes

5.0

Network

Low

None

None

Partial

None

11.1.2.4.0, 12.1.2.0.0, 12.1.3.0.0

CVE-2014-3571

Oracle Mobile Security Suite

HTTPS

Common Libraries

Yes

5.0

Network

Low

None

None

None

Partial

MSS 3.0

See Note 5

CVE-2010-1622

Oracle WebCenter Sites

HTTP

Security

No

4.9

Network

Medium

Single

Partial+

Partial+

None

7.6.2, 11.1.1.6.1, 11.1.1.8.0

CVE-2015-4912

Oracle Access Manager

HTTP

SSO Engine

Yes

4.3

Network

Medium

None

Partial

None

None

11.1.2.2, 11.1.2.3

CVE-2015-4899

Oracle GlassFish Server

LDAP

Security

Yes

4.3

Network

Medium

None

Partial

None

None

3.0.1, 3.1.2

CVE-2014-0191

Oracle HTTP Server

HTTP

Web Listener

Yes

4.3

Network

Medium

None

None

None

Partial

11.1.1.7, 12.1.2.0, 12.1.3.0

CVE-2015-4832

Oracle Identity Manager

HTTP

OIM Legacy UI

Yes

4.3

Network

Medium

None

None

Partial

None

11.1.1.7, 11.1.2.2, 11.1.2.3

CVE-2015-4867

Oracle WebCenter Content

HTTP

Content Server

Yes

4.3

Network

Medium

None

None

Partial

None

10.1.3.5.1

CVE-2015-4880

Oracle WebCenter Content

HTTP

Content Server

Yes

4.3

Network

Medium

None

None

Partial

None

10.1.3.5.1

CVE-2015-4799

Oracle WebCenter Sites

HTTP

Security

Yes

4.3

Network

Medium

None

None

Partial

None

7.6.2, 11.1.1.6.1, 11.1.1.8.0

CVE-2015-4838

Oracle JDeveloper

HTTP

ADF Faces

No

4.0

Network

Low

Single

Partial

None

None

11.1.2.4.0, 12.1.2.0.0, 12.1.3.0.0

CVE-2015-4914

Oracle HTTP Server

HTTPS

Web Listener

No

3.5

Network

Medium

Single

Partial

None

None

10.1.3.5, 11.1.1.7, 11.1.1.9, 12.1.2.0, 12.1.3.0

CVE-2015-4812

Oracle HTTP Server

HTTPS

OSSL Module

Yes

2.6

Network

High

None

Partial

None

None

11.1.1.9

CVE-2015-4877

Oracle Outside In Technology

None

Outside In Filters

No

1.5

Local

Medium

Single

None

None

Partial

8.5.0, 8.5.1, 8.5.2

See Note 6

CVE-2015-4878

Oracle Outside In Technology

None

Outside In Filters

No

1.5

Local

Medium

Single

None

None

Partial

8.5.0, 8.5.1, 8.5.2

See Note 6

CVE-2015-4809

Oracle Outside In Technology

None

Outside In PDF Export SDK

No

1.5

Local

Medium

Single

None

None

Partial

8.5.0, 8.5.1, 8.5.2

See Note 6

CVE-2015-4811

Oracle Outside In Technology

None

Outside In PDF Export SDK

No

1.5

Local

Medium

Single

None

None

Partial

8.5.0, 8.5.1, 8.5.2

See Note 6

Notes:

1. Please refer to My Oracle Support Note 2056927.1 for instructions on how to address this issue.
2. The fix also addresses CVE-2015-1788, CVE-2015-1789, CVE-2015-1790 and CVE-2015-1792.
3. The fix also addresses CVE-2015-0204,CVE-2015-0207,CVE-2015-0208,CVE-2015-0209,CVE-2015-0285,CVE-2015-0287,CVE-2015-0288,CVE-2015-0289,CVE-2015-0290,CVE-2015-0291,CVE-2015-0292,CVE-2015-0293 and CVE-2015-1787.
4. The fix also addresses CVE-2015-3183.
5. The fix also addresses CVE-2015-0204,CVE-2015-0205,CVE-2015-0206,CVE-2014-3569,CVE-2014-3570,CVE-2014-3572 and CVE-2014-8275.
6. Outside In Technology is a suite of software development kits (SDKs). It does not have any particular associated protocol. If the hosting software passes data received over the network to Outside In Technology code, the CVSS v2.0 Base Score would increase to 6.8.

Appendix - Oracle Hyperion****Oracle Hyperion Executive Summary

This Critical Patch Update contains 1 new security fix for Oracle Hyperion. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Hyperion Risk Matrix

CVE#

Component

Protocol

Sub- component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen-tication

Confiden-tiality

Integrity

Avail-ability

CVE-2015-4823

Hyperion Installation Technology

None

Essbase Rapid Deploy

No

1.2

Local

High

None

Partial

None

None

11.1.2.3

Appendix - Oracle Enterprise Manager Grid Control****Oracle Enterprise Manager Grid Control Executive Summary

This Critical Patch Update contains 5 new security fixes for Oracle Enterprise Manager Grid Control. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. None of these fixes are applicable to client-only installations, i.e., installations that do not have Oracle Enterprise Manager Grid Control installed. The English text form of this Risk Matrix can be found here.

Oracle Enterprise Manager products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle Enterprise Manager products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle Enterprise Manager risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle Enterprise Manager products, Oracle recommends that customers apply the October 2015 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Enterprise Manager. For information on what patches need to be applied to your environments, refer to Critical Patch Update October 2015 Patch Availability Document for Oracle Products, My Oracle Support Note 2037108.1.

Oracle Enterprise Manager Grid Control Risk Matrix

CVE#

Component

Protocol

Sub- component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen-tication

Confiden-tiality

Integrity

Avail-ability

CVE-2015-1793

OSS Support Tools

HTTPS

Oracle Explorer

Yes

6.8

Network

Medium

None

Partial

Partial

Partial

Prior to 8.8.15.7.15

CVE-2015-4859

Enterprise Manager Base Platform

HTTP

Agent Next Gen

Yes

5.8

Network

Medium

None

Partial+

Partial+

None

12.1.0.4, 12.1.0.5

CVE-2015-4875

Enterprise Manager Base Platform

HTTP

Agent Next Gen

Yes

5.0

Network

Low

None

None

None

Partial+

12.1.0.4, 12.1.0.5

CVE-2015-4874

Enterprise Manager Base Platform

HTTP

Agent Next Gen

No

4.1

Local

Medium

Single

Partial+

Partial+

Partial+

12.1.0.4, 12.1.0.5

CVE-2015-2633

Enterprise Manager Ops Center

HTTP

Ops Center

No

3.6

Network

High

Single

Partial+

Partial

None

12.1.0.1, 12.2.2

Appendix - Oracle Applications****Oracle E-Business Suite Executive Summary

This Critical Patch Update contains 12 new security fixes for the Oracle E-Business Suite. 6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle recommends that customers apply the October 2015 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Releases 11i and 12 Critical Patch Update Knowledge Document (October 2015), My Oracle Support Note 2051000.1.

Oracle E-Business Suite Risk Matrix

CVE#

Component

Protocol

Sub- component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen-tication

Confiden-tiality

Integrity

Avail-ability

CVE-2015-4798

Oracle Applications Technology Stack

SQLNet

DB Listener

Yes

10.0

Network

Low

None

Complete

Complete

Complete

11.5.10.2

See Note 1

CVE-2015-4839

Oracle Applications Technology Stack

SQLNet

DB Listener

Yes

10.0

Network

Low

None

Complete

Complete

Complete

11.5.10.2

See Note 1

CVE-2015-4849

Oracle Payments

HTTP

Punch-in

Yes

6.8

Network

Medium

None

Partial+

Partial+

Partial+

11.5.10.2, 12.0.6, 12.1.3, 12.2.3, 12.2.4

CVE-2015-4851

Oracle iSupplier Portal

HTTP

XML input

Yes

6.8

Network

Medium

None

Partial+

Partial+

Partial+

12.0.6, 12.1.3, 12.2.3, 12.2.4

CVE-2015-4886

Oracle Report Manager

HTTP

Reports Security

Yes

6.4

Network

Low

None

Partial

Partial

None

11.5.10.2, 12.0.6, 12.1.3, 12.2.3, 12.2.4

CVE-2015-4884

Oracle Application Object Library

HTTP

Single Signon

Yes

5.0

Network

Low

None

Partial

None

None

11.5.10.2, 12.0.6, 12.1.3, 12.2.3, 12.2.4

CVE-2015-4845

Oracle Application Object Library

HTTP

Java APIs - AOL/J

Yes

4.3

Network

Medium

None

Partial

None

None

11.5.10.2, 12.0.6, 12.1.3, 12.2.3, 12.2.4

CVE-2015-4854

Oracle Application Object Library

HTTP

Single Signon

Yes

4.3

Network

Medium

None

None

Partial

None

12.0.6, 12.1.3, 12.2.3, 12.2.4

CVE-2015-4762

Oracle Applications DBA

HTTP

Online patching

No

4.0

Network

Low

Single

Partial

None

None

12.2.3, 12.2.4

CVE-2015-4898

Oracle Applications Framework

HTTP

Diagnostics, DMZ

No

4.0

Network

Low

Single

None

Partial

None

11.5.10.2, 12.0.6, 12.1.3, 12.2.3, 12.2.4

CVE-2015-4846

Oracle Applications Manager

HTTP

SQL Extensions

No

3.6

Network

High

Single

Partial

Partial

None

11.5.10.2, 12.0.6, 12.1.3, 12.2.3, 12.2.4

CVE-2015-4865

Oracle Applications Framework

HTTP

Business Objects - BC4J

No

2.1

Network

High

Single

Partial

None

None

12.1.3, 12.2.3, 12.2.4

Notes:

1. The CVSS score is 10.0 for the Windows platform. The CVSS score is 7.5 (Confidentiality, Integrity and Availability is “Partial+”) for Linux, Unix and other platforms.

Oracle Supply Chain Products Suite Executive Summary

This Critical Patch Update contains 8 new security fixes for the Oracle Supply Chain Products Suite. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Supply Chain Products Suite Risk Matrix

CVE#

Component

Protocol

Sub- component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen-tication

Confiden-tiality

Integrity

Avail-ability

CVE-2015-1791

Oracle Transportation Management

HTTP

Install

Yes

6.8

Network

Medium

None

Partial

Partial

Partial

6.1, 6.2

See Note 1

CVE-2015-4848

Oracle Configurator

HTTP

Integration with Peoplesoft

Yes

5.0

Network

Low

None

Partial

None

None

12.0.6, 12.1.3, 12.2.3, 12.2.4

CVE-2015-1793

Oracle Agile Engineering Data Management

HTTP

Install

No

4.9

Network

Medium

Single

Partial

Partial

None

6.1.2.2, 6.1.3.0, 6.2.0.0

CVE-2015-4847

Oracle Configurator

HTTP

OCI

Yes

4.3

Network

Medium

None

None

Partial

None

12.0.6, 12.1.3, 12.2.3, 12.2.4

CVE-2015-4892

Oracle Agile PLM

HTTP

Security

No

3.5

Network

Medium

Single

None

Partial

None

9.3.4

CVE-2015-4797

Oracle Agile PLM

HTTP

Security

No

3.5

Network

Medium

Single

None

Partial

None

9.3.3

CVE-2015-4917

Oracle Agile PLM

HTTP

Security

No

3.5

Network

Medium

Single

None

Partial

None

9.3.4

CVE-2015-4824

Oracle Agile PLM

HTTP

Security

No

2.1

Network

High

Single

Partial+

None

None

9.3.4

Notes:

1. This fix also addresses CVE-2015-1788, CVE-2015-1789, CVE-2015-1790 and CVE-2015-1792 and CVE-2015-1793.

Oracle PeopleSoft Products Executive Summary

This Critical Patch Update contains 8 new security fixes for Oracle PeopleSoft Products. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle PeopleSoft Products Risk Matrix

CVE#

Component

Protocol

Sub- component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen-tication

Confiden-tiality

Integrity

Avail-ability

CVE-2015-1791

PeopleSoft Enterprise PeopleTools

HTTP

Security

Yes

6.8

Network

Medium

None

Partial

Partial

Partial

8.53, 8.54

See Note 1

CVE-2015-4887

PeopleSoft Enterprise HCM

HTTP

ePerformance

No

6.0

Network

Medium

Single

Partial+

Partial+

Partial+

9.2

CVE-2015-4850

PeopleSoft Enterprise HCM

HTTP

Talent Acquisition Management

No

5.5

Network

Low

Single

Partial

Partial

None

9.2

CVE-2015-4818

PeopleSoft Enterprise PeopleTools

HTTP

PIA Core Technology

No

5.5

Network

Low

Single

Partial

Partial

None

8.54

CVE-2015-4828

PeopleSoft Enterprise FSCM

HTTP

FIN Resource Management (Security)

No

4.0

Network

Low

Single

Partial

None

None

9.2

CVE-2015-4804

PeopleSoft Enterprise HCM Talent Acquistion Managment

HTTP

Security

No

4.0

Network

Low

Single

Partial

None

None

9.2

CVE-2015-4876

PeopleSoft Enterprise PeopleTools

HTTP

Pivot Grid

No

4.0

Network

Low

Single

None

Partial

None

8.53, 8.54

CVE-2015-4825

PeopleSoft Enterprise FIN Expenses

HTTP

Expense Report General

No

3.5

Network

Medium

Single

Partial

None

None

9.2

Notes:

1. This fix also addresses CVE-2015-1788, CVE-2015-1789, CVE-2015-1790 and CVE-2015-1792 and CVE-2015-1793.

Oracle Siebel CRM Executive Summary

This Critical Patch Update contains 1 new security fix for Oracle Siebel CRM. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Siebel CRM Risk Matrix

CVE#

Component

Protocol

Sub- component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen-tication

Confiden-tiality

Integrity

Avail-ability

CVE-2015-4841

Siebel Core - Server Framework

HTTP

Services

Yes

4.3

Network

Medium

None

Partial

None

None

IP2014, IP2015

Appendix - Oracle Industry Applications****Oracle Industry Applications Executive Summary

This Critical Patch Update contains 14 new security fixes for the Oracle Industry Applications divided as follows:

• 1 new security fix for Oracle Industry Applications. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
• 9 new security fixes for Oracle Communications Applications. 8 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
• 4 new security fixes for Oracle Retail Applications. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Industry Applications Risk Matrix

CVE#

Component

Protocol

Sub- component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen-tication

Confiden-tiality

Integrity

Avail-ability

CVE-2015-4795

Oracle Utilities Work and Asset Management

HTTP

Add-On Applications

Yes

7.5

Network

Low

None

Partial

Partial

Partial

1.9.1.1.2

Oracle Communications Applications Executive Summary

This Critical Patch Update contains 8 new security fixes for Oracle Communications Applications. 7 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Communications Applications Risk Matrix

CVE#

Component

Protocol

Sub- component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen-tication

Confiden-tiality

Integrity

Avail-ability

CVE-2015-2608

Oracle Communications Diameter Signaling Router (DSR)

HTTP

PMAC

Yes

10.0

Network

Low

None

Complete

Complete

Complete

4.1.6 and earlier, 5.1.0 and earlier, 6.0.2 and earlier, 7.1.0 and earlier

CVE-2015-2608

Oracle Communications Performance Intelligence Center Software

HTTP

PMAC

Yes

10.0

Network

Low

None

Complete

Complete

Complete

9.0.3 and earlier, 10.1.5 and earlier

CVE-2015-2608

Oracle Communications Policy Management

HTTP

PMAC

Yes

10.0

Network

Low

None

Complete

Complete

Complete

9.9.0 and earlier, 10.5.0 and earlier, 11.5.0 and earlier, 12.1.0 and earlier

CVE-2015-2608

Oracle Communications Tekelec HLR Router

HTTP

PMAC

Yes

10.0

Network

Low

None

Complete

Complete

Complete

4.0.0

CVE-2014-7940

Oracle Communications Messaging Server

HTTP

Libraries

Yes

7.5

Network

Low

None

Partial

Partial

Partial

7.0.5, 8.0

See Note 1

CVE-2015-0235

Oracle Communications LSMS

Multiple

Glibc

No

6.0

Network

Medium

Single

Partial

Partial

Partial

13.1

CVE-2015-4793

Oracle Communications Convergence

HTTP

Mail Proxy

Yes

4.3

Network

Medium

None

Partial

None

None

2.0, 3.0.1

CVE-2015-4000

Oracle Communications Messaging Server

SSL/TLS

Security

Yes

4.3

Network

Medium

None

None

Partial

None

7.0.5, 8.0

See Note 2

Notes:

1. This fix also addresses CVE-2014-7923, CVE-2014-7926, CVE-2014-8146 and CVE-2014-8147.
2. This fix also addresses CVE-2015-2522.

Oracle Retail Applications Executive Summary

This Critical Patch Update contains 4 new security fixes for Oracle Retail Applications. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Retail Applications Risk Matrix

CVE#

Component

Protocol

Sub- component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen-tication

Confiden-tiality

Integrity

Avail-ability

CVE-2014-0050

Oracle Retail Back Office

HTTP

Security

Yes

7.5

Network

Low

None

Partial

Partial

Partial

RM2.0, 12.0IN, 12.0, 13.0, 13.1, 13.2, 13.3, 13.4, 14.0.

CVE-2014-0050

Oracle Retail Central Office

HTTP

Security

Yes

7.5

Network

Low

None

Partial

Partial

Partial

RM2.0, 12.0IN, 12.0, 13.0, 13.1, 13.2, 13.3, 13.4, 14.0.

CVE-2014-0050

Oracle Retail Returns Management:

HTTP

Security

Yes

7.5

Network

Low

None

Partial

Partial

Partial

RM2.0, 12.0IN, 12.0, 13.0, 13.1, 13.2, 13.3, 13.4, 14.0.

CVE-2015-4827

Oracle Retail Open Commerce Platform

HTTP

Framework

Yes

6.4

Network

Low

None

Partial

Partial

None

3.0

Appendix - Oracle Java SE****Oracle Java SE Executive Summary

This Critical Patch Update contains 25 new security fixes for Oracle Java SE. 24 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

The CVSS scores below assume that a user running a Java applet or Java Web Start application has administrator privileges (typical on Windows). When the user does not run with administrator privileges (typical on Solaris and Linux), the corresponding CVSS impact scores for Confidentiality, Integrity, and Availability are “Partial” instead of "Complete", lowering the CVSS Base Score. For example, a Base Score of 10.0 becomes 7.5.

Users should only use the default Java Plug-in and Java Web Start from the latest JDK or JRE 7 and 8 releases.

Oracle Java SE Risk Matrix

CVE#

Component

Protocol

Sub- component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen-tication

Confiden-tiality

Integrity

Avail-ability

CVE-2015-4835

Java SE, Java SE Embedded

Multiple

CORBA

Yes

10.0

Network

Low

None

Complete

Complete

Complete

Java SE 6u101, Java SE 7u85, Java SE 8u60, Java SE Embedded 8u51

See Note 1

CVE-2015-4881

Java SE, Java SE Embedded

Multiple

CORBA

Yes

10.0

Network

Low

None

Complete

Complete

Complete

Java SE 6u101, Java SE 7u85, Java SE 8u60, Java SE Embedded 8u51

See Note 1

CVE-2015-4843

Java SE, Java SE Embedded

Multiple

Libraries

Yes

10.0

Network

Low

None

Complete

Complete

Complete

Java SE 6u101, Java SE 7u85, Java SE 8u60, Java SE Embedded 8u51

See Note 1

CVE-2015-4883

Java SE, Java SE Embedded

Multiple

RMI

Yes

10.0

Network

Low

None

Complete

Complete

Complete

Java SE 6u101, Java SE 7u85, Java SE 8u60, Java SE Embedded 8u51

See Note 1

CVE-2015-4860

Java SE, Java SE Embedded

Multiple

RMI

Yes

10.0

Network

Low

None

Complete

Complete

Complete

Java SE 6u101, Java SE 7u85, Java SE 8u60, Java SE Embedded 8u51

See Note 1

CVE-2015-4805

Java SE, Java SE Embedded

Multiple

Serialization

Yes

10.0

Network

Low

None

Complete

Complete

Complete

Java SE 6u101, Java SE 7u85, Java SE 8u60, Java SE Embedded 8u51

See Note 1

CVE-2015-4844

Java SE, Java SE Embedded

Mutiple

2D

Yes

10.0

Network

Low

None

Complete

Complete

Complete

Java SE 6u101, Java SE 7u85, Java SE 8u60, Java SE Embedded 8u51

See Note 1

CVE-2015-4901

Java SE

Multiple

JavaFX

Yes

9.3

Network

Medium

None

Complete

Complete

Complete

Java SE 8u60

See Note 1

CVE-2015-4868

Java SE, Java SE Embedded

Multiple

Libraries

Yes

7.6

Network

High

None

Complete

Complete

Complete

Java SE 8u60, Java SE Embedded 8u51

See Note 2

CVE-2015-4810

Java SE

None

Deployment

No

6.9

Local

Medium

None

Complete

Complete

Complete

Java SE 7u85, Java SE 8u60

See Note 1

CVE-2015-4806

Java SE, Java SE Embedded

Multiple

Libraries

Yes

6.4

Network

Low

None

Partial

Partial

None

Java SE 6u101, Java SE 7u85, Java SE 8u60, Java SE Embedded 8u51

See Note 1

CVE-2015-4871

Java SE

Multiple

Libraries

Yes

5.8

Network

Medium

None

Partial

Partial

None

Java SE 7u85

See Note 1

CVE-2015-4902

Java SE

Multiple

Deployment

Yes

5.0

Network

Low

None

None

Partial

None

Java SE 6u101, Java SE 7u85, Java SE 8u60

See Note 1

CVE-2015-4840

Java SE, Java SE Embedded

Multiple

2D

Yes

5.0

Network

Low

None

Partial

None

None

Java SE 7u85, Java SE 8u60, Java SE Embedded 8u51

See Note 1

CVE-2015-4882

Java SE, Java SE Embedded

Multiple

CORBA

Yes

5.0

Network

Low

None

None

None

Partial

Java SE 6u101, Java SE 7u85, Java SE 8u60, Java SE Embedded 8u51

See Note 1

CVE-2015-4842

Java SE, Java SE Embedded

Multiple

JAXP

Yes

5.0

Network

Low

None

Partial

None

None

Java SE 6u101, Java SE 7u85, Java SE 8u60, Java SE Embedded 8u51

See Note 1

CVE-2015-4734

Java SE, Java SE Embedded

Multiple

JGSS

Yes

5.0

Network

Low

None

Partial

None

None

Java SE 6u101, Java SE 7u85, Java SE 8u60, Java SE Embedded 8u51

See Note 1

CVE-2015-4903

Java SE, Java SE Embedded

Multiple

RMI

Yes

5.0

Network

Low

None

Partial

None

None

Java SE 6u101, Java SE 7u85, Java SE 8u60, Java SE Embedded 8u51

See Note 1

CVE-2015-4803

Java SE, Java SE Embedded, JRockit

Multiple

JAXP

Yes

5.0

Network

Low

None

None

None

Partial

Java SE 6u101, Java SE 7u85, Java SE 8u60, Java SE Embedded 8u51, JRockit R28.3.7

See Note 2

CVE-2015-4893

Java SE, Java SE Embedded, JRockit

Multiple

JAXP

Yes

5.0

Network

Low

None

None

None

Partial

Java SE 6u101, Java SE 7u85, Java SE 8u60, Java SE Embedded 8u51, JRockit R28.3.7

See Note 2

CVE-2015-4911

Java SE, Java SE Embedded, JRockit

Multiple

JAXP

Yes

5.0

Network

Low

None

None

None

Partial

Java SE 6u101, Java SE 7u85, Java SE 8u60, Java SE Embedded 8u51, JRockit R28.3.7

See Note 2

CVE-2015-4872

Java SE, Java SE Embedded, JRockit

Multiple

Security

Yes

5.0

Network

Low

None

None

Partial

None

Java SE 6u101, Java SE 7u85, Java SE 8u60, Java SE Embedded 8u51, JRockit R28.3.7

See Note 2

CVE-2015-4906

Java SE, JavaFX

Multiple

JavaFX

Yes

5.0

Network

Low

None

Partial

None

None

Java SE 8u60, JavaFX 2.2.85

See Note 1

CVE-2015-4916

Java SE, JavaFX

Multiple

JavaFX

Yes

5.0

Network

Low

None

Partial

None

None

Java SE 8u60, JavaFX 2.2.85

See Note 1

CVE-2015-4908

Java SE, JavaFX

Multiple

JavaFX

Yes

5.0

Network

Low

None

Partial

None

None

Java SE 8u60, JavaFX 2.2.85

See Note 1

Notes:

1. Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets.
2. Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.

Appendix - Oracle Sun Systems Products Suite****Oracle Sun Systems Products Suite Executive Summary

This Critical Patch Update contains 15 new security fixes for the Oracle Sun Systems Products Suite. 4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Sun Systems Products Suite Risk Matrix

CVE#

Component

Protocol

Sub- component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen-tication

Confiden-tiality

Integrity

Avail-ability

CVE-2015-4915

Integrated Lights Out Manager (ILOM)

Multiple

System Management

Yes

10.0

Network

Low

None

Complete

Complete

Complete

3.0, 3.1, 3.2

CVE-2015-4821

Integrated Lights Out Manager (ILOM)

HTTP

Web

Yes

9.3

Network

Medium

None

Complete

Complete

Complete

3.0, 3.1, 3.2

CVE-2015-4837

Solaris

None

Utility/Security

No

6.6

Local

Medium

Single

Complete

Complete

Complete

11.2

CVE-2015-4817

Solaris

None

Kernel Zones virtualized NIC driver

No

6.2

Local

High

None

Complete

Complete

Complete

11.2

CVE-2015-4820

Solaris

None

Solaris Kernel Zones

No

6.2

Local

High

None

Complete

Complete

Complete

11.2

CVE-1999-0377

Solaris

Multiple

INETD

Yes

5.0

Network

Low

None

None

None

Partial

10, 11.2

CVE-2015-4869

Solaris

None

Kernel

No

4.9

Local

Low

None

None

None

Complete

10, 11.2

CVE-2015-4831

Solaris

None

Solaris Kernel Zones

No

4.9

Local

Low

None

None

None

Complete

11.2

CVE-2015-4891

Solaris

None

NSCD

No

4.6

Local

Low

None

Partial

Partial

Partial

11.2

CVE-2015-4907

Solaris

None

Solaris Kernel Zones

No

4.6

Local

Low

None

Partial

Partial

Partial+

11.2

CVE-2015-2642

Solaris

Multiple

Gzip

No

4.4

Local

Medium

None

Partial

Partial

Partial

10, 11.2

CVE-2015-4000

Fujitsu M10-1, M10-4, M10-4S Servers

SSL/TLS

XCP Firmware

Yes

4.3

Network

Medium

None

None

Partial

None

XCP prior to XCP 2271

CVE-2015-4834

Solaris

None

Utility/Zones

No

3.7

Local

High

None

Partial

Partial

Partial

11.2

CVE-2015-4801

Solaris

None

Solaris Kernel Zones

No

2.1

Local

Low

None

Partial

None

None

11.2

CVE-2015-4822

Solaris

None

Solaris Kernel Zones

No

1.2

Local

High

None

None

None

Partial

11.2

Appendix - Oracle Pillar Axiom****Oracle Pillar Axiom Executive Summary

This Critical Patch Update contains 1 new security fix for Oracle Pillar Axiom. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Pillar Axiom Risk Matrix

CVE#

Component

Protocol

Sub- component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen-tication

Confiden-tiality

Integrity

Avail-ability

CVE-2015-0235<

Oracle FS1-2 Flash Storage System

Multiple

Glibc

Yes

10.0

Network

Low

None

Complete

Complete

Complete

6.1, 6.2, 6.3

Appendix - Oracle Linux and Virtualization****Oracle Virtualization Executive Summary

This Critical Patch Update contains 3 new security fixes for Oracle Virtualization. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Virtualization Risk Matrix

CVE#

Component

Protocol

Sub- component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen-tication

Confiden-tiality

Integrity

Avail-ability

CVE-2015-4896

Oracle VM VirtualBox

None

Core

Yes

5.0

Network

Low

None

None

None

Partial+

VirtualBox prior to 4.0.34, 4.1.42, 4.2.34, 4.3.32, 5.0.8

See Note 1

CVE-2015-4856

Oracle VM VirtualBox

None

Core

No

4.9

Local

Low

None

None

None

Complete

VirtualBox prior to 4.0.30, 4.1.38, 4.2.30, 4.3.26, 5.0.0

CVE-2015-4813

Oracle VM VirtualBox

None

Core

No

2.1

Local

Low

None

None

None

Partial+

VirtualBox prior to 4.0.34, 4.1.42, 4.2.34, 4.3.32, 5.0.8

See Note 2

Notes:

1. Only VMs with Remote Display feature (RDP) enabled are impacted by CVE-2015-4896.
2. Only Windows guests are impacted by CVE-2015-4813. Windows guests without VirtualBox Guest Additions installed are not affected.

Appendix - Oracle MySQL****Oracle MySQL Executive Summary

This Critical Patch Update contains 30 new security fixes for Oracle MySQL. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle MySQL Risk Matrix

CVE#

Component

Protocol

Sub- component

Remote Exploit without Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Access Vector

Access Complexity

Authen-tication

Confiden-tiality

Integrity

Avail-ability

CVE-2015-3144

MySQL Enterprise Monitor

HTTP

C-Agent

No

9.0

Network

Low

Single

Complete

Complete

Complete

2.3.20 and earlier, 3.0.22 and earlier

See Note 1

CVE-2015-4819

MySQL Server

None

Client programs

No

7.2

Local

Low

None

Complete

Complete

Complete

5.5.44 and earlier, 5.6.25 and earlier

See Note 2

CVE-2015-1793

MySQL Server

MySQL Protocol

Server : Security : Encryption

Yes

6.4

Network

Low

None

Partial

Partial

None

5.6.25 and earlier

See Note 3

CVE-2015-0286

MySQL Enterprise Monitor

HTTPS

C-Agent / Service Manager

Yes

5.0

Network

Low

None

None

None

Partial

2.3.20 and earlier, 3.0.20 and earlier

See Note 4

CVE-2015-4879

MySQL Server

MySQL Protocol

Server : DML

No

4.6

Network

High

Single

Partial+

Partial+

Partial+

5.5.44 and earlier, 5.6.25 and earlier

CVE-2015-4815

MySQL Server

MySQL Protocol

Server : DDL

No

4.0

Network

Low

Single

None

None

Partial+

5.5.45 and earlier, 5.6.26 and earlier

CVE-2015-4905

MySQL Server

MySQL Protocol

Server : DML

No

4.0

Network

Low

Single

None

None

Partial+

5.6.23 and earlier

CVE-2015-4858

MySQL Server

MySQL Protocol

Server : DML

No

4.0

Network

Low

Single

None

None

Partial+

5.5.45 and earlier, 5.6.26 and earlier

CVE-2015-4862

MySQL Server

MySQL Protocol

Server : DML

No

4.0

Network

Low

Single

None

None

Partial+

5.6.26 and earlier

CVE-2015-4866

MySQL Server

MySQL Protocol

Server : InnoDB

No

4.0

Network

Low

Single

None

None

Partial+

5.6.23 and earlier

CVE-2015-4816

MySQL Server

MySQL Protocol

Server : InnoDB

No

4.0

Network

Low

Single

None

None

Partial+

5.5.44 and earlier

CVE-2015-4800

MySQL Server

MySQL Protocol

Server : Optimizer

No

4.0

Network

Low

Single

None

None

Partial+

5.6.26 and earlier

CVE-2015-4870

MySQL Server

MySQL Protocol

Server : Parser

No

4.0

Network

Low

Single

None

None

Partial+

5.5.45 and earlier, 5.6.26 and earlier

CVE-2015-4802

MySQL Server

MySQL Protocol

Server : Partition

No

4.0

Network

Low

Single

None

None

Partial+

5.5.45 and earlier, 5.6.26 and earlier

CVE-2015-4833

MySQL Server

MySQL Protocol

Server : Partition

No

4.0

Network

Low

Single

None

None

Partial+

5.6.25 and earlier

CVE-2015-4830

MySQL Server

MySQL Protocol

Server : Security : Privileges

No

4.0

Network

Low

Single

None

Partial

None

5.5.45 and earlier, 5.6.26 and earlier

CVE-2015-4730

MySQL Server

MySQL Protocol

Server : Types

No

4.0

Network

Low

Single

None

None

Partial+

5.6.20 and earlier

CVE-2015-4826

MySQL Server

MySQL Protocol

Server : Types

No

4.0

Network

Low

Single

Partial

None

None

5.5.45 and earlier, 5.6.26 and earlier

CVE-2015-4904

MySQL Server

MySQL Protocol

libmysqld

No

4.0

Network

Low

Single

None

None

Partial+

5.6.25 and earlier

CVE-2015-4913

MySQL Server

MySQL Protocol

Server : DML

No

3.5

Network

Medium

Single

None

None

Partial+

5.5.45 and earlier, 5.6.26 and earlier

CVE-2015-4895

MySQL Server

MySQL Protocol

Server : InnoDB

No

3.5

Network

Medium

Single

None

None

Partial+

5.6.25 and earlier

CVE-2015-4861

MySQL Server

MySQL Protocol

Server : InnoDB

No

3.5

Network

Medium

Single

None

None

Partial+

5.5.45 and earlier, 5.6.26 and earlier

CVE-2015-4807

MySQL Server

MySQL Protocol

Server : Query Cache

No

3.5

Network

Medium

Single

None

None

Partial+

5.5.45 and earlier, 5.6.26 and earlier

See Note 5

CVE-2015-4890

MySQL Server

MySQL Protocol

Server : Replication

No

3.5

Network

Medium

Single

None

None

Partial+

5.6.26 and earlier

CVE-2015-4791

MySQL Server

MySQL Protocol

Server : Security : Privileges

No

3.5

Network

Medium

Single

None

None

Partial+

5.6.26 and earlier

See Note 5

CVE-2015-4864

MySQL Server

MySQL Protocol

Server : Security : Privileges

No

3.5

Network

Medium

Single

None

Partial

None

5.5.43 and earlier, 5.6.24 and earlier

CVE-2015-4836

MySQL Server

MySQL Protocol

Server : SP

No

2.8

Network

Medium

Multiple

None

None

Partial+

5.5.45 and earlier, 5.6.26 and earlier

CVE-2015-4910

MySQL Server

Memcached

Server : Memcached

No

2.1

Network

High

Single

None

None

Partial+

5.6.26 and earlier

CVE-2015-4766

MySQL Server

MySQL Protocol

Server : Security : Firewall

No

1.9

Local

Medium

None

None

None

Partial+

5.6.25 and earlier

CVE-2015-4792

MySQL Server

MySQL Protocol

Server : Partition

No

1.7

Network

High

Multiple

None

None

Partial+

5.5.45 and earlier, 5.6.26 and earlier

Notes:

1. This fix also addresses CVE-2014-3707, CVE-2014-8150, CVE-2015-3153 and CVE-2015-3236. The CVSS score is 9.0 if MySQL Enterprise Monitor runs with admin or root privileges. The score would be 6.5 if MySQL Enterprise Monitor runs with non-admin privileges and the impact on Confidentiality, Integrity and Availability would be Partial+. The Sub-Component for version 3.0.x is 'Proxy/Aggregator’.
2. The CVSS score is 7.2 if the Utility runs with admin or root privileges. The score would be 4.6 if the Utility runs with non-admin privileges and the impact on Confidentiality, Integrity and Availability would be Partial+.
3. This fix also addresses CVE-2015-0286, CVE-2015-0288 and CVE-2015-1789.
4. This fix also addresses CVE-2015-0288. The fix for version 2.3 also addresses CVE-2015-1793.
5. This issue impacts the Windows platform only.

Why Oracle

• Analyst Reports
• Gartner MQ for Cloud ERP
• Cloud Economics
• Corporate Responsibility
• Diversity and Inclusion
• Security Practices

Learn

• What is cloud computing?
• What is CRM?
• What is Docker?
• What is Kubernetes?
• What is Python?
• What is SaaS?

What’s New

• Oracle Supports Ukraine

• Oracle CloudWorld

• Oracle and Premier League

• Oracle Red Bull Racing

• Employee Experience Platform

• Oracle Support Rewards

• © 2022 Oracle

• Site Map

• Privacy/Do Not Sell My Info

• Ad Choices

• Careers

• Facebook

• Twitter

• LinkedIn

• YouTube