Headline
CVE-2020-14641: Oracle Critical Patch Update Advisory - July 2020
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Roles). Supported versions that are affected are 8.0.20 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data. CVSS 3.1 Base Score 4.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N).
- Click to view our Accessibility Policy
- Skip to content
Description
A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update Advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security patches. Please refer to:
- Critical Patch Updates, Security Alerts and Bulletins for information about Oracle Security advisories.
Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay.
This Critical Patch Update contains 444 new security patches across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at July 2020 Critical Patch Update: Executive Summary and Analysis.
Affected Products and Patch Information
Security vulnerabilities addressed by this Critical Patch Update affect the products listed below. The product area is shown in the Patch Availability Document column.
Please click on the links in the Patch Availability Document column below to access the documentation for patch availability information and installation instructions.
Affected Products and Versions
Patch Availability Document
Category Management Planning & Optimization, version 15.0.3
Retail Applications
Customer Management and Segmentation Foundation, versions 16.0, 17.0, 18.0
Retail Applications
Enterprise Manager Base Platform, versions 12.1.0.5, 13.3.0.0, 13.4.0.0
Enterprise Manager
Enterprise Manager for Fusion Middleware, version 12.1.0.5
Enterprise Manager
Enterprise Manager Ops Center, version 12.4.0.0
Enterprise Manager
GoldenGate Stream Analytics, versions prior to 19.1.0.0.1
Database
Hyperion Financial Close Management, version 11.1.2.4
Fusion Middleware
Instantis EnterpriseTrack, versions 17.1-17.3
Oracle Construction and Engineering Suite
JD Edwards EnterpriseOne Orchestrator, versions prior to 9.2.4.2
JD Edwards
JD Edwards EnterpriseOne Tools, versions prior to 9.2.3.3, prior to 9.2.4.2
JD Edwards
MySQL Client, versions 5.6.48 and prior, 5.7.30 and prior, 8.0.20 and prior
MySQL
MySQL Cluster, versions 7.3.29 and prior, 7.4.28 and prior, 7.5.18 and prior, 7.6.14 and prior, 8.0.20 and prior
MySQL
MySQL Connectors, versions 8.0.20 and prior
MySQL
MySQL Enterprise Monitor, versions 4.0.12 and prior, 8.0.20 and prior
MySQL
MySQL Server, versions 5.6.48 and prior, 5.7.30 and prior, 8.0.20 and prior
MySQL
Oracle Agile Engineering Data Management, version 6.2.1.0
Oracle Supply Chain Products
Oracle Application Express, versions 5.1-19.2
Database
Oracle Application Testing Suite, versions 13.2.0.1, 13.3.0.1
Enterprise Manager
Oracle AutoVue, version 21.0
Oracle Supply Chain Products
Oracle Banking Enterprise Collections, versions 2.7.0-2.9.0
Oracle Banking Platform
Oracle Banking Payments, versions 14.1.0-14.4.0
Oracle Financial Services Applications
Oracle Banking Platform, versions 2.4.0-2.10.0
Oracle Banking Platform
Oracle Berkeley DB, versions prior to 6.1.38, prior to 18.1.40
Berkeley DB
Oracle BI Publisher, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
Fusion Middleware
Oracle Business Intelligence Enterprise Edition, versions 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
Fusion Middleware
Oracle Business Process Management Suite, versions 12.2.1.3.0, 12.2.1.4.0
Fusion Middleware
Oracle Coherence, versions 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
Fusion Middleware
Oracle Commerce Guided Search / Oracle Commerce Experience Manager, versions 11.0, 11.1, 11.2, prior to 11.3.1
Oracle Commerce
Oracle Commerce Platform, versions 11.1, 11.2, prior to 11.3.1
Oracle Commerce
Oracle Commerce Service Center, versions 11.1, 11.2, prior to 11.3.1
Oracle Commerce
Oracle Communications Analytics, version 12.1.1
Oracle Communications Analytics
Oracle Communications Billing and Revenue Management, versions 7.5.0.23.0, 12.0.0.3.0
Oracle Communications Billing and Revenue Management
Oracle Communications BRM - Elastic Charging Engine, versions 11.3, 12.0
Oracle Communications BRM - Elastic Charging Engine
Oracle Communications Contacts Server, version 8.0.0.4.0
Oracle Communications Contacts Server
Oracle Communications Convergence, versions 3.0.1.0-3.0.2.1
Oracle Communications Convergence
Oracle Communications Diameter Signaling Router (DSR), versions 8.0-8.4
Oracle Communications Diameter Signaling Router
Oracle Communications Element Manager, versions 8.1.1, 8.2.0, 8.2.1
Oracle Communications Element Manager
Oracle Communications Evolved Communications Application Server, version 7.1
Oracle Communications Evolved Communications Application Server
Oracle Communications Instant Messaging Server, version 10.0.1.4.0
Oracle Communications Instant Messaging Server
Oracle Communications Interactive Session Recorder, versions 6.1-6.4
Oracle Communications Interactive Session Recorder
Oracle Communications IP Service Activator, versions 7.3.0, 7.4.0
Oracle Communications IP Service Activator
Oracle Communications LSMS, versions 13.0-13.3
Oracle Communications LSMS
Oracle Communications Messaging Server, versions 8.0.2, 8.1.0
Oracle Communications Messaging Server
Oracle Communications MetaSolv Solution, version 6.3.0
Oracle Communications MetaSolv Solution
Oracle Communications Network Charging and Control, versions 6.0.1, 12.0.0-12.0.3
Oracle Communications Network Charging and Control
Oracle Communications Network Integrity, versions 7.3.2-7.3.6
Oracle Communications Network Integrity
Oracle Communications Operations Monitor, versions 3.4, 4.1-4.3
Oracle Communications Operations Monitor
Oracle Communications Order and Service Management, versions 7.3, 7.4
Oracle Communications Order and Service Management
Oracle Communications Services Gatekeeper, versions 6.0, 6.1, 7.0
Oracle Communications Services Gatekeeper
Oracle Communications Session Border Controller, versions 8.1.0, 8.2.0, 8.3.0
Oracle Communications Session Border Controller
Oracle Communications Session Report Manager, versions 8.1.1, 8.2.0, 8.2.1
Oracle Communications Session Report Manager
Oracle Communications Session Route Manager, versions 8.1.1, 8.2.0, 8.2.1
Oracle Communications Session Route Manager
Oracle Configuration Manager, version 12.1.2.0.6
Enterprise Manager
Oracle Configurator, versions 12.1, 12.2
Oracle Supply Chain Products
Oracle Data Masking and Subsetting, versions 13.3.0.0, 13.4.0.0
Enterprise Manager
Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c, [Spatial Studio] prior to 19.2.1
Database
Oracle E-Business Suite, versions 12.1.1-12.1.3, 12.2.3-12.2.9
E-Business Suite
Oracle Endeca Information Discovery Studio, version 3.2.0
Fusion Middleware
Oracle Enterprise Communications Broker, versions 3.0.0-3.2.0
Oracle Enterprise Communications Broker
Oracle Enterprise Repository, version 11.1.1.7.0
Fusion Middleware
Oracle Enterprise Session Border Controller, versions 8.1.0, 8.2.0, 8.3.0
Oracle Enterprise Session Border Controller
Oracle Financial Services Analytical Applications Infrastructure, versions 8.0.6-8.1.0
Oracle Financial Services Analytical Applications Infrastructure
Oracle Financial Services Compliance Regulatory Reporting, versions 8.0.6-8.0.8
Oracle Financial Services Compliance Regulatory Reporting
Oracle Financial Services Lending and Leasing, versions 12.5.0, 14.1.0-14.8.0
Oracle Financial Services Applications
Oracle Financial Services Liquidity Risk Management, version 8.0.6
Oracle Financial Services Liquidity Risk Management
Oracle Financial Services Loan Loss Forecasting and Provisioning, versions 8.0.6-8.0.8
Oracle Financial Services Loan Loss Forecasting and Provisioning
Oracle Financial Services Market Risk Measurement and Management, versions 8.0.6, 8.0.8
Oracle Financial Services Market Risk Measurement and Management
Oracle Financial Services Regulatory Reporting for De Nederlandsche Bank, version 8.0.4
Oracle Financial Services Regulatory Reporting for De Nederlandsche Bank
Oracle FLEXCUBE Investor Servicing, versions 12.1.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0
Oracle Financial Services Applications
Oracle FLEXCUBE Private Banking, versions 12.0.0, 12.1.0
Oracle Financial Services Applications
Oracle Fusion Middleware MapViewer, versions 12.2.1.3.0, 12.2.1.4.0
Fusion Middleware
Oracle Global Lifecycle Management/OPatch, versions prior to 12.2.0.1.20
Global Lifecycle Management
Oracle GoldenGate, versions prior to 19.1.0.0.0
Database
Oracle GraalVM Enterprise Edition, versions 19.3.2, 20.1.0
Oracle GraalVM Enterprise Edition
Oracle Health Sciences Empirica Inspections, version 1.0.1.2
Health Sciences
Oracle Health Sciences Empirica Signal, version 7.3.3
Health Sciences
Oracle Healthcare Master Person Index, version 4.0.2
Health Sciences
Oracle Healthcare Translational Research, versions 3.2.1, 3.3.1, 3.3.2, 3.4.0
Health Sciences
Oracle Help Technologies, versions 11.1.1.9.0, 12.2.1.3.0
Fusion Middleware
Oracle Hospitality Guest Access, versions 4.2.0, 4.2.1
Oracle Hospitality Guest Access
Oracle Hospitality Reporting and Analytics, version 9.1.0
Oracle Hospitality Reporting and Analytics
Oracle Hyperion BI+, version 11.1.2.4
Fusion Middleware
Oracle iLearning, versions 6.1, 6.1.1
iLearning
Oracle Insurance Accounting Analyzer, versions 8.0.6-8.0.9
Oracle Insurance Accounting Analyzer
Oracle Insurance Data Gateway, version 1.0
Oracle Insurance Applications
Oracle Insurance Policy Administration J2EE, versions 10.2.0, 10.2.4, 11.0.2, 11.1.0, 11.2.0
Oracle Insurance Applications
Oracle Insurance Rules Palette, versions 10.2.0, 10.2.4, 11.0.2, 11.1.0, 11.2.0
Oracle Insurance Applications
Oracle Java SE, versions 7u261, 8u251, 11.0.7, 14.0.1
Java SE
Oracle Java SE Embedded, version 8u251
Java SE
Oracle Outside In Technology, versions 8.5.4, 8.5.5
Fusion Middleware
Oracle Rapid Planning, versions 12.1, 12.2
Oracle Supply Chain Products
Oracle Real User Experience Insight, version 13.3.1.0
Enterprise Manager
Oracle Retail Assortment Planning, versions 15.0, 15.0.3, 16.0, 16.0.3
Retail Applications
Oracle Retail Bulk Data Integration, versions 15.0, 16.0
Retail Applications
Oracle Retail Customer Management and Segmentation Foundation, version 18.0
Retail Applications
Oracle Retail Data Extractor for Merchandising, versions 1.9, 1.10, 18.0
Retail Applications
Oracle Retail Extract Transform and Load, version 19.0
Retail Applications
Oracle Retail Financial Integration, versions 15.0, 16.0
Retail Applications
Oracle Retail Fusion Platform, version 5.5
Retail Applications
Oracle Retail Integration Bus, versions 15.0, 15.0.3, 16.0, 16.0.3
Retail Applications
Oracle Retail Invoice Matching, version 16.0
Retail Applications
Oracle Retail Item Planning, version 15.0.3
Retail Applications
Oracle Retail Macro Space Optimization, version 15.0.3
Retail Applications
Oracle Retail Merchandise Financial Planning, version 15.0.3
Retail Applications
Oracle Retail Merchandising System, versions 15.0.3, 16.0.2, 16.0.3
Retail Applications
Oracle Retail Order Broker, version 15.0
Retail Applications
Oracle Retail Predictive Application Server, versions 14.0.3, 14.1.3, 15.0.3, 16.0.3
Retail Applications
Oracle Retail Regular Price Optimization, versions 15.0.3, 16.0.3
Retail Applications
Oracle Retail Replenishment Optimization, version 15.0.3
Retail Applications
Oracle Retail Sales Audit, version 14.1
Retail Applications
Oracle Retail Service Backbone, versions 14.1, 15.0, 16.0
Retail Applications
Oracle Retail Size Profile Optimization, version 15.0.3
Retail Applications
Oracle Retail Store Inventory Management, versions 14.0.4, 14.1.3, 15.0.3, 16.0.3
Retail Applications
Oracle Retail Xstore Point of Service, versions 7.1, 15.0, 16.0, 17.0, 18.0, 19.0
Retail Applications
Oracle SD-WAN Aware, versions 8.0, 8.1, 8.2
Oracle SD-WAN Aware
Oracle SD-WAN Edge, versions 8.0, 8.1, 8.2, 9.0
Oracle SD-WAN Edge
Oracle Security Service, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
Fusion Middleware
Oracle Solaris, version 11
Systems
Oracle TimesTen In-Memory Database, versions prior to 18.1.2.1.0
Database
Oracle Transportation Management, versions 6.3.7, 6.4.3
Oracle Supply Chain Products
Oracle Unified Directory, versions 11.1.2.3.0, 12.2.1.3.0, 12.2.1.4.0
Fusion Middleware
Oracle Utilities Framework, versions 4.3.0.5.0, 4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0
Oracle Utilities Applications
Oracle VM VirtualBox, versions prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
Virtualization
Oracle WebCenter Portal, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
Fusion Middleware
Oracle WebCenter Sites, versions 12.2.1.3.0, 12.2.1.4.0
Fusion Middleware
Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
Fusion Middleware
Oracle ZFS Storage Appliance Kit, version 8.8
Systems
PeopleSoft Enterprise FIN Expenses, version 9.2
PeopleSoft
PeopleSoft Enterprise HCM Global Payroll Switzerland, version 9.2
PeopleSoft
PeopleSoft Enterprise HRMS, version 9.2
PeopleSoft
PeopleSoft Enterprise PeopleTools, versions 8.56, 8.57, 8.58
PeopleSoft
Primavera Gateway, versions 16.2.0-16.2.11, 17.12.0-17.12.7, 18.8.0-18.8.9, 19.12.0-19.12.4
Oracle Construction and Engineering Suite
Primavera P6 Enterprise Project Portfolio Management, versions 16.1.0.0-16.2.20.1, 17.1.0.0-17.12.17.1, 18.1.0.0-18.8.19, 19.12.0-19.12.6
Oracle Construction and Engineering Suite
Primavera Portfolio Management, versions 16.1.0.0-16.1.5.1, 18.0.0.0-18.0.2.0, 19.0.0.0
Oracle Construction and Engineering Suite
Primavera Unifier, versions 16.1, 16.2, 17.7-17.12, 18.8, 19.12, [Mobile App] prior to 20.6
Oracle Construction and Engineering Suite
Siebel Applications, versions 2.20.5 and prior, 20.6 and prior
Siebel
Note:
- Vulnerabilities affecting either Oracle Database or Oracle Fusion Middleware may affect Oracle Fusion Applications, so Oracle customers should refer to Oracle Fusion Applications Critical Patch Update Knowledge Document, My Oracle Support Note 1967316.1 for information on patches to be applied to Fusion Application environments.
- Vulnerabilities affecting Oracle Solaris may affect Oracle ZFSSA so Oracle customers should refer to the Oracle and Sun Systems Product Suite Critical Patch Update Knowledge Document, My Oracle Support Note 2160904.1 for information on minimum revisions of security patches required to resolve ZFSSA issues published in Critical Patch Updates and Solaris Third Party bulletins.
- Solaris Third Party Bulletins are used to announce security patches for third party software distributed with Oracle Solaris. Solaris 10 customers should refer to the latest patch-sets which contain critical security fixes and detailed in Systems Patch Availability Document. Please see Reference Index of CVE IDs and Solaris Patches (My Oracle Support Note 1448883.1) for more information.
- Users running Java SE with a browser can download the latest release from https://java.com. Users on the Windows and Mac OS X platforms can also use automatic updates to get the latest release.
Risk Matrix Content
Risk matrices list only security vulnerabilities that are newly addressed by the patches associated with this advisory. Risk matrices for previous security patches can be found in previous Critical Patch Update advisories and Alerts. An English text version of the risk matrices provided in this document is here.
Several vulnerabilities addressed in this Critical Patch Update affect multiple products. Each vulnerability is identified by a CVE# which is its unique identifier. A vulnerability that affects multiple products will appear with the same CVE# in all risk matrices. A CVE# shown in italics indicates that this vulnerability impacts a different product, but also has impact on the product where the italicized CVE# is listed.
Security vulnerabilities are scored using CVSS version 3.1 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS version 3.1).
Oracle conducts an analysis of each security vulnerability addressed by a Critical Patch Update. Oracle does not disclose detailed information about this security analysis to customers, but the resulting Risk Matrix and associated documentation provide information about the type of vulnerability, the conditions required to exploit it, and the potential impact of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage. For more information, see Oracle vulnerability disclosure policies.
The protocol in the risk matrix implies that all of its secure variants (if applicable) are affected as well. For example, if HTTP is listed as an affected protocol, it implies that HTTPS (if applicable) is also affected. The secure variant of a protocol is listed in the risk matrix only if it is the only variant affected, e.g. HTTPS will typically be listed for vulnerabilities in SSL and TLS.
Workarounds
Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update security patches as soon as possible. Until you apply the Critical Patch Update patches, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem.
Skipped Critical Patch Updates
Oracle strongly recommends that customers apply security patches as soon as possible. For customers that have skipped one or more Critical Patch Updates and are concerned about products that do not have security patches announced in this Critical Patch Update, please review previous Critical Patch Update advisories to determine appropriate actions.
Critical Patch Update Supported Products and Versions
Patches released through the Critical Patch Update program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. Oracle recommends that customers plan product upgrades to ensure that patches released through the Critical Patch Update program are available for the versions they are currently running.
Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Critical Patch Update. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.
Database, Fusion Middleware, and Oracle Enterprise Manager products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.
Credit Statement
The following people or organizations reported security vulnerabilities addressed by this Critical Patch Update to Oracle:
- Abdullah Alzahrani: CVE-2020-14554, CVE-2020-14635
- Alessandro Bosco of TIM S.p.A: CVE-2020-14690
- Alexander Kornbrust of Red Database Security: CVE-2020-2984
- Alves Christopher (Telecom Nancy): CVE-2020-14550, CVE-2020-14553, CVE-2020-14623
- Ammarit Thongthua of Secure D Center Cybersecurity Team: CVE-2020-14558, CVE-2020-14564
- Andrej Simko of Accenture: CVE-2020-14534, CVE-2020-14555, CVE-2020-14590, CVE-2020-14657, CVE-2020-14658, CVE-2020-14659, CVE-2020-14660, CVE-2020-14661, CVE-2020-14665, CVE-2020-14666, CVE-2020-14667, CVE-2020-14679, CVE-2020-14688
- Antonin B. of NCIA / NCSC: CVE-2020-14610
- Arseniy Sharoglazov of Positive Technologies: CVE-2020-14622
- Artur Wojtkowski and CQURE Team: CVE-2020-14617, CVE-2020-14618
- Billy Cody of Context Information Security: CVE-2020-14595
- Bui Duong from Viettel Cyber Security: CVE-2020-14611
- CERT/CC: CVE-2020-14558
- Chathura Abeydeera of Deloitte Risk Advisory Pty Ltd: CVE-2020-14531
- Chi Tran: CVE-2020-14534, CVE-2020-14716, CVE-2020-14717
- Conor McErlane working with Trend Micro’s Zero Day Initiative: CVE-2020-14628
- Damian Bury: CVE-2020-14546
- Edoardo Predieri of TIM S.p.A: CVE-2020-14690
- Emad Al-Mousa of Saudi Aramco: CVE-2020-2969, CVE-2020-2978
- Fabio Minarelli of TIM S.p.A: CVE-2020-14690
- Filip Ceglik: CVE-2020-14560, CVE-2020-14565
- Forum Bhayani: CVE-2020-14592
- Francesco Russo of TIM S.p.A: CVE-2020-14690
- Giovanni Delvecchio of Almaviva Security Assessment Team: CVE-2020-14607, CVE-2020-14608
- Hangfan Zhang: CVE-2020-14575, CVE-2020-14654
- Hugo Santiago dos Santos: CVE-2020-14613
- Johannes Kuhn: CVE-2020-14556
- Julien Zhan (Telecom Nancy): CVE-2020-14550, CVE-2020-14553, CVE-2020-14623
- kdot working with Trend Micro Zero Day Initiative: CVE-2020-14664
- Khuyen Nguyen of secgit.com: CVE-2020-14668, CVE-2020-14669, CVE-2020-14670, CVE-2020-14671, CVE-2020-14681, CVE-2020-14682, CVE-2020-14686
- Kingkk: CVE-2020-14642, CVE-2020-14644
- Kritsada Sunthornwutthikrai of Secure D Center Cybersecurity Team: CVE-2020-14558, CVE-2020-14564
- Larry W. Cashdollar: CVE-2020-14724
- Lionel Debroux: CVE-2020-2981
- Luca Di Giuseppe of TIM S.p.A: CVE-2020-14690
- Lucas Leong of Trend Micro Zero Day Initiative: CVE-2020-14646, CVE-2020-14647, CVE-2020-14648, CVE-2020-14649, CVE-2020-14650, CVE-2020-14673, CVE-2020-14674, CVE-2020-14694, CVE-2020-14695, CVE-2020-14703, CVE-2020-14704
- lufei of Tencent Force: CVE-2020-14645
- Lukas Braune of Siemens: CVE-2019-8457
- Lukasz Mikula: CVE-2020-14541
- Lukasz Rupala of ING Tech Poland: CVE-2020-14552
- Maoxin Lin of Dbappsecurity Team: CVE-2020-14645, CVE-2020-14652
- Marco Marsala: CVE-2020-14559
- Markus Loewe: CVE-2020-14583
- Markus Wulftange of Code White GmbH: CVE-2020-14644, CVE-2020-14645, CVE-2020-14687
- Massimiliano Brolli of TIM S.p.A: CVE-2020-14690
- Mateusz Dabrowski: CVE-2020-14584, CVE-2020-14585
- Maxime Escourbiac of Michelin CERT: CVE-2020-14719, CVE-2020-14720
- Mohamed Fadel: CVE-2020-14601, CVE-2020-14602, CVE-2020-14603, CVE-2020-14604, CVE-2020-14605
- Ntears of Chaitin Security Team: CVE-2020-14645, CVE-2020-14652
- Owais Zaman of Sabic: CVE-2020-14551
- Pavel Cheremushkin: CVE-2020-14713
- Philippe Antoine (Telecom Nancy): CVE-2020-14550, CVE-2020-14553, CVE-2020-14623
- Philippe Arteau of GoSecure: CVE-2020-14577
- Preeyakorn Keadsai of Secure D Center Cybersecurity Team: CVE-2020-14558, CVE-2020-14564
- Przemyslaw Nowakowski: CVE-2020-2977
- Quynh Le of VNPT ISC working with Trend Micro Zero Day Initiative: CVE-2020-14625
- r00t4dm from A-TEAM of Legendsec at Qi’anxin Group: CVE-2020-14636, CVE-2020-14637, CVE-2020-14638, CVE-2020-14639, CVE-2020-14640, CVE-2020-14645, CVE-2020-14652
- Reno Robert working with Trend Micro Zero Day Initiative: CVE-2020-14629, CVE-2020-14675, CVE-2020-14676, CVE-2020-14677
- Roberto Suggi Liverani of NCIA / NCSC: CVE-2020-14610
- Roger Meyer: CVE-2020-2513, CVE-2020-2971, CVE-2020-2972, CVE-2020-2973, CVE-2020-2974, CVE-2020-2975, CVE-2020-2976
- Roman Shemyakin: CVE-2020-14621
- Rui Zhong: CVE-2020-14575, CVE-2020-14654
- Saeed Shiravi: CVE-2020-14548
- Shimizu Kawasaki of Asiainfo-sec of CSS Group: CVE-2020-14645, CVE-2020-14652
- Spyridon Chatzimichail of OTE Hellenic Telecommunications Organization S.A.: CVE-2020-14532, CVE-2020-14533
- Suthum Thitiananpakorn: CVE-2020-14569
- Ted Raffle of rapid7.com: CVE-2020-14535, CVE-2020-14536
- Tomasz Stachowicz: CVE-2020-14570, CVE-2020-14571
- Trung Le: CVE-2020-14534, CVE-2020-14716, CVE-2020-14717
- Tuan Anh Nguyen of Viettel Cyber Security: CVE-2020-14598, CVE-2020-14599
- Vijayakumar Muniraj of CybersecurityWorks Research Labs: CVE-2020-14723
- Yaoguang Chen of Ant-financial Light-Year Security Lab: CVE-2020-14654, CVE-2020-14725
- Yongheng Chen: CVE-2020-14575, CVE-2020-14654
- ZeddYu Lu of StarCross Tech: CVE-2020-14588, CVE-2020-14589
- Zhao Xin Jun: CVE-2020-14652
- Zhongcheng Li (CK01) from Zero-dayits Team of Legendsec at Qi’anxin Group: CVE-2020-14711, CVE-2020-14712
- Ziming Zhang from Codesafe Team of Legendsec at Qi’anxin Group: CVE-2020-14707, CVE-2020-14714, CVE-2020-14715
- Ziming Zhang from Codesafe Team of Legendsec at Qi’anxin Group working with Trend Micro Zero Day Initiative: CVE-2020-14698, CVE-2020-14699, CVE-2020-14700
- Zouhair Janatil-Idrissi (Telecom Nancy): CVE-2020-14550, CVE-2020-14553, CVE-2020-14623
Security-In-Depth Contributors
Oracle acknowledges people who have contributed to our Security-In-Depth program (see FAQ). People are acknowledged for Security-In-Depth contributions if they provide information, observations or suggestions pertaining to security vulnerability issues that result in significant modification of Oracle code or documentation in future releases, but are not of such a critical nature that they are distributed in Critical Patch Updates.
In this Critical Patch Update, Oracle recognizes the following for contributions to Oracle’s Security-In-Depth program.:
- Alexander Kornbrust of Red Database Security [10 reports]
- Cao Linhong of Sangfor Furthereye Security Team
- Chi Tran [2 reports]
- Fatih Çelik
- James Nichols of 80/20 Labs
- lufei of Tencent Force
- Maoxin Lin of Dbappsecurity Team
- Marc Fielding of Google
- Markus Loewe [2 reports]
- r00t4dm from A-TEAM of Legendsec at Qi’anxin Group
- Ryan Gerstenkorn
- Saeid Tizpaz Niari
- Shimizu Kawasaki of Asiainfo-sec of CSS Group
- Trung Le [2 reports]
- Venustech ADLab
- Yu Wang of BMH Security Team [2 reports]
On-Line Presence Security Contributors
Oracle acknowledges people who have contributed to our On-Line Presence Security program (see FAQ). People are acknowledged for contributions relating to Oracle’s on-line presence if they provide information, observations or suggestions pertaining to security-related issues that result in significant modification to Oracle’s on-line external-facing systems.
For this quarter, Oracle recognizes the following for contributions to Oracle’s On-Line Presence Security program:
- 0xd0ff9 aka Bao Bui
- 1ZRR4H aka Germán Fernández
- @ngkogkos hunt4p1zza
- Abdulkadir Mutlu
- Abdullah Mohamed
- Abhinav P
- Aditra Andri Laksana
- Ahmed Moustafa
- Alfie Njeru (emenalf)
- Aman Deep Singh Chawla
- Anas Rahmani
- Anat Bremler-Barr
- Anis Azzi
- Anon Venus
- Ansar Uddin Anan
- Ben Passmore
- Celal Erdik of Ebruu Tech Limited
- Chirag Prajapati
- Dave Altena
- Dhamu Harker
- Dhiral Patel
- Dhiren Kumar Pradhan
- Elmonzer Kamaleldin of Monzer Kamal
- HackersEra VMS [2 reports]
- Hamza Megahed
- Harpreet Singh of Pyramid Cyber Security & Forensic Pvt Ltd
- Harry The DevOps Guy
- Ilyas Orak
- Jagdish Bharucha
- Jatin Saini
- Jeremy Lindsey of Burns & McDonnell [2 reports]
- Jin DanLong
- Josue Acevedo Maldonado
- Ken Nevers
- Kishore Hariram [2 reports]
- Last Light [2 reports]
- Lior Shafir
- Luciano Anezin
- Maayan Amid of Orca Security
- Magrabur Alam Sofily
- Matthijs R. Koot [2 reports]
- Mayur Gupta
- Meridian Miftari
- Moaied Nagi Hassan (Moonlight)
- Mohit Khemchandani
- Muhammad Abdullah
- Naveen Kumar
- Ome Mishra
- Prathmesh Lalingkar
- Pratish Bhansali
- Prince Achillies
- Pritam Mukherjee
- Rajesh Patil
- Raphael Karger
- Ricardo Iramar dos Santos
- Ridvan Erbas
- Roger Meyer
- rootme34
- Russell Muetzelfeldt of Flybuys
- Saad Zitouni
- Sajid Ali
- Sam Jadali
- Sarath Kumar (Kadavul)
- Saurabh Dilip Mhatre
- Severus of VietSunshine Security Engineering Team
- Shailesh Kumar
- Shubham Khadgi
- Sipke Mellema
- Siva Pathela
- Smii Mondher
- Srinivas M
- Tinu Tomy
- Tony Marcel Nasr [2 reports]
- Tuatnh
- Tushar Bhardwaj
- Ujjwal Tyagi
- Valentin Virtejanu of Lifespan
- Victor Gevers
- Viet Nguyen [2 reports]
- Virendra Tiwari
- Vishal Ajwani
- Vlad Staricin
- Yehuda Afek
- Youssef A. Mohamed aka GeneralEG
- Zubin
Critical Patch Update Schedule
Critical Patch Updates are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:
- 20 October 2020
- 19 January 2021
- 20 April 2021
- 20 July 2021
References
- Oracle Critical Patch Updates, Security Alerts and Bulletins
- Critical Patch Update - July 2020 Documentation Map
- Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions
- Risk Matrix Definitions
- Use of Common Vulnerability Scoring System (CVSS) by Oracle
- English text version of the risk matrices
- CVRF XML version of the risk matrices
- Map of CVE to Advisory/Alert
- Software Error Correction Support Policy
- Oracle Lifetime support Policy
- JEP 290 Reference Blocklist Filter
Modification History
Date
Note
2020-December-1
Rev 8. Updated CVSS score of CVE-2020-14564.
2020-August-31
Rev 7. Credit Statement Update.
2020-August-3
Rev 6. Credit Statement Update.
2020-July-27
Rev 5. Credit Statement Update.
2020-July-24
Rev 4. Affected version number changes to CVE-2020-14701 & CVE-2020-14606
2020-July-23
Rev 3. Added entry for CVE-2020-14725 in MySQL Risk Matrix. The fix was included in patches already released but was inadvertently not documented.
2020-July-20
Rev 2. Credit Statement Update.
2020-July-14
Rev 1. Initial Release.
Oracle Database Products Risk Matrices
This Critical Patch Update contains 27 new security patches for the Oracle Database Products divided as follows:
- 19 new security patches for Oracle Database Server.
- 3 new security patches for Oracle Berkeley DB.
- 1 new security patch for Oracle Global Lifecycle Management.
- 3 new security patches for Oracle GoldenGate.
- 1 new security patch for Oracle TimesTen In-Memory Database.
Oracle Database Server Risk Matrix
This Critical Patch Update contains 19 new security patches for the Oracle Database Server. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these patches are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.
CVE#
Component
Package and/or Privilege Required
Protocol
Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req’d
User
Interact
Scope
Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2016-1000031
MapViewer (Apache Commons FileUpload)
Valid User Account
HTTP
No
8.8
Network
Low
Low
None
Un-
changed
High
High
High
12.2.0.1, 18c, 19c
See Note 1
CVE-2020-2968
Java VM
Create Session, Create Procedure
Multiple
No
8.0
Network
High
Low
Required
Changed
High
High
High
11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2016-9843
Core RDBMS (zlib)
Create Session
Oracle Net
No
7.2
Network
Low
High
None
Un-
changed
High
High
High
18c
CVE-2020-2969
Data Pump
DBA role account
Oracle Net
No
6.6
Network
High
High
None
Un-
changed
High
High
High
11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2020-8112
GeoRaster (OpenJPG)
Create Session
Oracle Net
No
5.7
Network
Low
Low
Required
Un-
changed
None
None
High
18c
CVE-2020-2513
Oracle Application Express
SQL Workshop
HTTP
No
5.4
Network
Low
Low
Required
Changed
Low
Low
None
5.1-19.2
CVE-2020-2971
Oracle Application Express
SQL Workshop
HTTP
No
5.4
Network
Low
Low
Required
Changed
Low
Low
None
5.1-19.2
CVE-2020-2972
Oracle Application Express
SQL Workshop
HTTP
No
5.4
Network
Low
Low
Required
Changed
Low
Low
None
5.1-19.2
CVE-2020-2973
Oracle Application Express
SQL Workshop
HTTP
No
5.4
Network
Low
Low
Required
Changed
Low
Low
None
5.1-19.2
CVE-2020-2974
Oracle Application Express
SQL Workshop
HTTP
No
5.4
Network
Low
Low
Required
Changed
Low
Low
None
5.1-19.2
CVE-2020-2976
Oracle Application Express
SQL Workshop
HTTP
No
5.4
Network
Low
Low
Required
Changed
Low
Low
None
5.1-19.2
CVE-2020-2975
Oracle Application Express
SQL Workshop
HTTP
No
5.4
Network
Low
Low
Required
Changed
Low
Low
None
5.1-19.2
CVE-2019-17569
Workload Manager (Apache Tomcat)
None
HTTP
Yes
4.8
Network
High
None
None
Un-
changed
Low
Low
None
12.2.0.1, 18c, 19c
CVE-2020-2977
Oracle Application Express
Valid User Account
HTTP
No
4.6
Network
Low
Low
Required
Un-
changed
Low
Low
None
5.1-19.2
CVE-2020-2978
Oracle Database - Enterprise Edition
DBA role account
Oracle Net
No
4.1
Network
Low
High
None
Changed
None
Low
None
12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2019-13990
MapViewer (Terracotta Quartz Scheduler, Apache Batik, Google Guava)
Local Logon
None
No
0.0
Local
Low
Low
Required
Un-
changed
None
None
None
12.2.0.1, 18c, 19c
See Note 2
CVE-2018-18314
Oracle Database (Perl)
Local Logon
None
No
0.0
Local
High
High
None
Un-
changed
None
None
None
11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
See Note 3
CVE-2019-10086
Spatial Studio (Apache Commons Beanutils)
Local Logon
None
No
0.0
Local
Low
Low
None
Un-
changed
None
None
None
Spatial Studio: Prior to 19.2.1
See Note 4
CVE-2019-16943
TFA (jackson-databind)
Local Logon
None
No
0.0
Local
High
High
None
Un-
changed
None
None
None
12.2.0.1, 18c, 19c
See Note 5
Notes:
- MapViewer is not deployed with a default installation. To use MapViewer the customer needs to re-deploy MapViewer EAR file into Oracle WebLogic Server.
- The CVE-2019-13990 and other CVEs listed for this patch are not exploitable in the context of Oracle Spatial and Graph MapViewer product, thus the CVSS score is 0.0.
- None of the CVEs listed against this row are exploitable in the context of Oracle Database, thus the CVSS score is 0.0.
- The CVE-2019-10086 is not exploitable in the context of Oracle Spatial Studio product, thus the CVSS score is 0.0.
- The CVE-2019-16943 and additional CVEs addressed by this patch are not exploitable in the context of Oracle TFA, thus the CVSS score for TFA patch for this issue is is 0.0.
Additional CVEs addressed are below:
- The patch for CVE-2016-9843 also addresses CVE-2016-9840, CVE-2016-9841 and CVE-2016-9842.
- The patch for CVE-2018-18314 also addresses CVE-2015-8607, CVE-2015-8608, CVE-2016-2381, CVE-2017-12814, CVE-2017-12837, CVE-2017-12883, CVE-2018-12015, CVE-2018-18311, CVE-2018-18312, CVE-2018-18313, CVE-2018-6797, CVE-2018-6798 and CVE-2018-6913.
- The patch for CVE-2019-13990 also addresses CVE-2018-10237 and CVE-2018-8013.
- The patch for CVE-2019-16943 also addresses CVE-2019-16942 and CVE-2019-17531.
- The patch for CVE-2019-17569 also addresses CVE-2020-1935 and CVE-2020-1938.
- The patch for CVE-2020-8112 also addresses CVE-2016-1923, CVE-2016-1924, CVE-2016-3183, CVE-2016-4796, CVE-2016-4797, CVE-2016-8332, CVE-2016-9112 and CVE-2020-6851.
Oracle Berkeley DB Risk Matrix
This Critical Patch Update contains 3 new security patches for Oracle Berkeley DB. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE#
Component
Package and/or Privilege Required
Protocol
Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req’d
User
Interact
Scope
Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2017-10140
Data Store
None
None
No
7.3
Local
Low
Low
Required
Un-
changed
High
High
High
Prior to 6.1.38
CVE-2020-2981
Data Store
None
None
No
7.0
Local
High
None
Required
Un-
changed
High
High
High
Prior to 18.1.40
CVE-2019-8457
Data Store (SQLite)
None
TCP
No
0.0
Network
Low
None
Required
Un-
changed
None
None
None
Prior to 18.1.40
See Note 1
Notes:
- The CVE-2019-8457 is not exploitable in the context of Oracle Berkeley DB product, thus the CVSS score is 0.0.
Oracle Global Lifecycle Management Risk Matrix
This Critical Patch Update contains 1 new security patch for Oracle Global Lifecycle Management. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE#
Product
Component
Protocol
Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req’d
User
Interact
Scope
Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2020-9546
Oracle Global Lifecycle Management/OPatch
Patch Installer (jackson-databind)
None
No
0.0
Local
Low
Low
None
Un-
changed
None
None
None
Prior to 12.2.0.1.20
See Note 1
Notes:
- None of the CVEs listed against this row are exploitable in the Oracle Global Lifecycle Management product, thus the CVSS score is 0.0.
Additional CVEs addressed are below:
- The patch for CVE-2020-9546 also addresses CVE-2019-16943, CVE-2020-10650, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-11619, CVE-2020-11620, CVE-2020-9547 and CVE-2020-9548.
Oracle GoldenGate Risk Matrix
This Critical Patch Update contains 3 new security patches for Oracle GoldenGate. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE#
Product
Component
Protocol
Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req’d
User
Interact
Scope
Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2020-14705
Oracle GoldenGate
Process Management
TCP
Yes
9.6
Adjacent
Network
Low
None
None
Changed
High
High
High
Prior to 19.1.0.0.0
CVE-2019-0222
GoldenGate Stream Analytics
Security (ActiveMQ)
TCP
No
6.5
Network
Low
Low
None
Un-
changed
None
None
High
Prior to 19.1.0.0.1
CVE-2019-14379
GoldenGate Stream Analytics
Security / Application Adapters (jackson-databind, SLF4J, ZooKeeper, Apache Spark)
None
No
0.0
Local
Low
Low
None
Un-
changed
None
None
None
Prior to 19.1.0.0.1
See Note 1
Notes:
- CVE-2019-14379 and other CVEs addressed by these patches are not exploitable in the Oracle GoldenGate product, thus the CVSS score is 0.0.
Additional CVEs addressed are below:
- The patch for CVE-2019-14379 also addresses CVE-2016-5017, CVE-2017-5637, CVE-2018-17190, CVE-2018-8012, CVE-2018-8088, CVE-2019-0201, CVE-2019-12086, CVE-2019-12384, CVE-2019-12814, CVE-2019-14439 and CVE-2019-14893.
Oracle TimesTen In-Memory Database Risk Matrix
This Critical Patch Update contains 1 new security patch for Oracle TimesTen In-Memory Database. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE#
Product
Component
Protocol
Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req’d
User
Interact
Scope
Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2018-18314
Oracle TimesTen In-Memory Database
Doc, EM Plug-in (Perl)
OracleNet
No
0.0
Network
Low
Low
None
Un-
changed
None
None
None
Prior to 18.1.2.1.0
See Note 1
Notes:
- None of the CVEs listed against this row are exploitable in the context of Oracle Database, thus the CVSS score is 0.0.
Additional CVEs addressed are below:
- The patch for CVE-2018-18314 also addresses CVE-2015-8607, CVE-2015-8608, CVE-2016-2381, CVE-2017-12814, CVE-2017-12837, CVE-2017-12883, CVE-2018-12015, CVE-2018-18311, CVE-2018-18312, CVE-2018-18313, CVE-2018-6797, CVE-2018-6798 and CVE-2018-6913.
Oracle Commerce Risk Matrix
This Critical Patch Update contains 4 new security patches for Oracle Commerce. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE#
Product
Component
Protocol
Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req’d
User
Interact
Scope
Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2020-14536
Oracle Commerce Guided Search / Oracle Commerce Experience Manager
Workbench
HTTP
Yes
7.4
Network
High
None
None
Un-
changed
High
High
None
11.0, 11.1, 11.2, prior to 11.3.1
CVE-2020-14535
Oracle Commerce Service Center
Commerce Service Center
HTTP
Yes
7.4
Network
High
None
None
Un-
changed
High
High
None
11.1, 11.2, prior to 11.3.1
CVE-2020-14532
Oracle Commerce Platform
Dynamo Application Framework
HTTP
Yes
4.7
Network
Low
None
Required
Changed
None
Low
None
11.1, 11.2, prior to 11.3.1
CVE-2020-14533
Oracle Commerce Platform
Dynamo Application Framework
HTTP
No
3.5
Network
Low
High
Required
Un-
changed
Low
Low
None
11.1, 11.2, prior to 11.3.1
Oracle Communications Applications Risk Matrix
This Critical Patch Update contains 60 new security patches for Oracle Communications Applications. 46 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE#
Product
Component
Protocol
Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req’d
User
Interact
Scope
Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2020-14701
Oracle SD-WAN Aware
User Interface
HTTP
Yes
10.0
Network
Low
None
None
Changed
High
High
High
8.0, 8.1, 8.2
CVE-2020-14606
Oracle SD-WAN Edge
User Interface
HTTP
Yes
10.0
Network
Low
None
None
Changed
High
High
High
8.0, 8.1, 8.2, 9.0
CVE-2018-11058
Oracle Communications Analytics
Platform (RSA BSAFE)
Multiple
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
12.1.1
CVE-2019-16943
Oracle Communications Billing and Revenue Management
Business Operation Center, Billing Care (jackson-databind)
HTTP
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
7.5.0.23.0, 12.0.0.3.0
CVE-2016-1000031
Oracle Communications Contacts Server
Core (Apache Commons FileUpload)
HTTP
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
8.0.0.4.0
CVE-2020-9546
Oracle Communications Contacts Server
Core (jackson-databind)
HTTP
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
8.0.0.4.0
CVE-2020-1938
Oracle Communications Element Manager
Core (Apache Tomcat)
Apache JServ Protocol (AJP)
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
8.1.1, 8.2.0, 8.2.1
CVE-2020-9546
Oracle Communications Evolved Communications Application Server
Session Design Center, Universal Data Recorder (jackson-databind)
Multiple
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
7.1
CVE-2020-1938
Oracle Communications Instant Messaging Server
Installation (Apache Tomcat)
Apache JServ Protocol (AJP)
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
10.0.1.4.0
CVE-2020-9546
Oracle Communications Instant Messaging Server
Presence API (jackson-databind)
HTTP
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
10.0.1.4.0
CVE-2019-13990
Oracle Communications IP Service Activator
Netwok Processor Configuration Management (Terracotta Quartz Scheduler)
HTTP
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
7.3.0, 7.4.0
CVE-2020-11656
Oracle Communications Network Charging and Control
Data Access Pack (SQLite)
HTTP
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
6.0.1, 12.0.0-12.0.3
CVE-2019-2729
Oracle Communications Network Integrity
Integration (Oracle WebLogic Server)
HTTP
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
7.3.2-7.3.6
CVE-2019-2904
Oracle Communications Network Integrity
User Interface (Application Development Framework)
HTTP
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
7.3.2-7.3.6
CVE-2017-5645
Oracle Communications Network Integrity
Cartridge Management (Log4j)
Multiple
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
7.3.2-7.3.6
CVE-2020-7060
Oracle Communications Diameter Signaling Router (DSR)
Platform (PHP)
HTTP
Yes
9.1
Network
Low
None
None
Un-
changed
High
None
High
8.0-8.4
CVE-2020-1945
Oracle Communications MetaSolv Solution
Online Help (Apache Ant)
HTTP
Yes
9.1
Network
Low
None
None
Un-
changed
High
High
None
6.3.0
CVE-2018-1258
Oracle Communications Network Integrity
Core (Spring Framework)
HTTP
No
8.8
Network
Low
Low
None
Un-
changed
High
High
High
7.3.2-7.3.6
CVE-2020-9546
Oracle Communications Network Charging and Control
Installer (jackson-databind)
None
No
8.4
Local
Low
None
None
Un-
changed
High
High
High
6.0.1, 12.0.0-12.0.3
CVE-2020-14580
Oracle Communications Session Border Controller
System Admin
SSH
No
8.2
Network
Low
Low
Required
Changed
High
Low
Low
8.1.0, 8.2.0, 8.3.0
CVE-2016-1181
Oracle Communications Network Integrity
MSS Integration Cartridge (Apache Struts 1)
HTTP
Yes
8.1
Network
High
None
None
Un-
changed
High
High
High
7.3.2-7.3.6
CVE-2017-0861
Oracle Communications LSMS
Kernel
None
No
7.8
Local
Low
Low
None
Un-
changed
High
High
High
13.0-13.3
CVE-2020-1945
Oracle Communications Order and Service Management
Installer (Apache Ant)
None
No
7.7
Local
Low
None
None
Un-
changed
High
High
None
7.3, 7.4
CVE-2020-5398
Oracle Communications BRM - Elastic Charging Engine
Orchestration (Spring Framework)
HTTP
Yes
7.5
Network
High
None
Required
Un-
changed
High
High
High
11.3, 12.0
CVE-2019-17359
Oracle Communications Convergence
S/MIME Configuration (Bouncy Castle Java Library)
HTTPS
Yes
7.5
Network
Low
None
None
Un-
changed
None
None
High
3.0.1.0-3.0.2.1
CVE-2020-5398
Oracle Communications Element Manager
Core (Spring Framework)
HTTP
Yes
7.5
Network
High
None
Required
Un-
changed
High
High
High
8.1.1, 8.2.0, 8.2.1
CVE-2019-0227
Oracle Communications Network Integrity
Adapters (Apache Axis)
HTTP
Yes
7.5
Adjacent
Network
High
None
None
Un-
changed
High
High
High
7.3.5, 7.3.6
CVE-2019-16056
Oracle Communications Operations Monitor
VSP implementing webserver (Python)
HTTP
Yes
7.5
Network
Low
None
None
Un-
changed
High
None
None
3.4, 4.1-4.3
CVE-2019-0227
Oracle Communications Order and Service Management
Installer, CMWS, CMT (Apache Axis)
HTTP
Yes
7.5
Adjacent
Network
High
None
None
Un-
changed
High
High
High
7.3, 7.4
CVE-2020-5398
Oracle Communications Session Report Manager
Core (Spring Framework)
HTTP
Yes
7.5
Network
High
None
Required
Un-
changed
High
High
High
8.1.1, 8.2.0, 8.2.1
CVE-2020-5398
Oracle Communications Session Route Manager
Core (Spring Framework)
HTTP
Yes
7.5
Network
High
None
Required
Un-
changed
High
High
High
8.1.1, 8.2.0, 8.2.1
CVE-2020-14630
Oracle Enterprise Session Border Controller
File Upload
HTTP
No
7.5
Network
Low
High
Required
Changed
Low
Low
High
8.1.0, 8.2.0, 8.3.0
CVE-2019-10193
Oracle Communications Operations Monitor
FDP, VSP Login, Packet Inspector (Redis)
HTTP
No
7.2
Network
Low
High
None
Un-
changed
High
High
High
3.4, 4.1
CVE-2019-12423
Oracle Communications Element Manager
REST API (Apache CXF)
HTTP
No
6.5
Network
Low
Low
None
Un-
changed
High
None
None
8.1.1, 8.2.0, 8.2.1
CVE-2019-12423
Oracle Communications Session Report Manager
REST API (Apache CXF)
HTTP
No
6.5
Network
Low
Low
None
Un-
changed
High
None
None
8.1.1, 8.2.0, 8.2.1
CVE-2019-12423
Oracle Communications Session Route Manager
REST API (Apache CXF)
HTTP
No
6.5
Network
Low
Low
None
Un-
changed
High
None
None
8.1.1, 8.2.0, 8.2.1
CVE-2020-14721
Oracle Enterprise Communications Broker
WebGUI
HTTP
No
6.3
Network
Low
Low
None
Un-
changed
Low
Low
Low
3.0.0-3.2.0
CVE-2020-11022
Oracle Communications Analytics
Platform (jQuery)
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
12.1.1
CVE-2020-11022
Oracle Communications Element Manager
User Interface (jQuery)
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
8.1.1, 8.2.0, 8.2.1
CVE-2020-1941
Oracle Communications Element Manager
Workorders (Apache ActiveMQ)
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
8.1.1, 8.2.0, 8.2.1
CVE-2020-11022
Oracle Communications Interactive Session Recorder
Dashboard (jQuery)
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
6.1-6.4
CVE-2019-17091
Oracle Communications Network Integrity
Core (Eclipse Mojarra)
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
7.3.5, 7.3.6
CVE-2020-11022
Oracle Communications Operations Monitor
Mediation Engine, Dashboard, Grapahs, Calls (jQuery)
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
3.4, 4.1-4.3
CVE-2020-11022
Oracle Communications Session Report Manager
User Interface (jQuery)
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
8.1.1, 8.2.0, 8.2.1
CVE-2020-1941
Oracle Communications Session Report Manager
Workorders (Apache ActiveMQ)
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
8.1.1, 8.2.0, 8.2.1
CVE-2020-11022
Oracle Communications Session Route Manager
User Interface (jQuery)
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
8.1.1, 8.2.0, 8.2.1
CVE-2020-1941
Oracle Communications Session Route Manager
Workorders (Apache ActiveMQ)
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
8.1.1, 8.2.0, 8.2.1
CVE-2020-14563
Oracle Enterprise Communications Broker
WebGUI
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
3.0.0-3.2.0
CVE-2020-14722
Oracle Enterprise Communications Broker
WebGUI
HTTP
Yes
5.8
Network
High
None
Required
Changed
Low
Low
Low
3.0.0-3.2.0
CVE-2018-3639
Oracle Communications LSMS
Kernel
None
No
5.5
Local
Low
Low
None
Un-
changed
High
None
None
13.0-13.3
CVE-2020-1951
Oracle Communications Messaging Server
Security (Apache Tika)
None
No
5.5
Local
Low
None
Required
Un-
changed
None
None
High
8.0.2, 8.1.0
CVE-2019-10247
Oracle Communications Analytics
Platform (Eclipse Jetty)
HTTP
Yes
5.3
Network
Low
None
None
Un-
changed
Low
None
None
12.1.1
CVE-2020-1934
Oracle Communications Element Manager
Core (Apache HTTP Server)
HTTP
Yes
5.3
Network
Low
None
None
Un-
changed
Low
None
None
8.1.1, 8.2.0, 8.2.1
CVE-2019-10247
Oracle Communications Services Gatekeeper
Platform Test Environment (Eclipse Jetty)
HTTP
Yes
5.3
Network
Low
None
None
Un-
changed
Low
None
None
6.0, 6.1, 7.0
CVE-2020-1934
Oracle Communications Session Report Manager
Core (Apache HTTP Server)
HTTP
Yes
5.3
Network
Low
None
None
Un-
changed
Low
None
None
8.1.1, 8.2.0, 8.2.1
CVE-2020-1934
Oracle Communications Session Route Manager
Core (Apache HTTP Server)
HTTP
Yes
5.3
Network
Low
None
None
Un-
changed
Low
None
None
8.1.1, 8.2.0, 8.2.1
CVE-2020-14574
Oracle Communications Interactive Session Recorder
FACE
None
No
4.7
Local
High
High
None
Un-
changed
High
Low
None
6.1-6.4
CVE-2020-9488
Oracle Communications Instant Messaging Server
Installation (Log4j)
SMTPS
Yes
3.7
Network
High
None
None
Un-
changed
Low
None
None
10.0.1.4.0
CVE-2020-9488
Oracle Communications Interactive Session Recorder
API, FACE, Archiver (Log4j)
SMTPS
Yes
3.7
Network
High
None
None
Un-
changed
Low
None
None
6.1-6.4
CVE-2020-9488
Oracle Communications Network Charging and Control
Notification Gateway (Log4j)
SMTPS
Yes
3.7
Network
High
None
None
Un-
changed
Low
None
None
6.0.1, 12.0.0-12.0.3
Additional CVEs addressed are below:
- The patch for CVE-2016-1181 also addresses CVE-2016-1182.
- The patch for CVE-2017-0861 also addresses CVE-2017-15265, CVE-2018-1000004, CVE-2018-10901, CVE-2018-3620, CVE-2018-3646, CVE-2018-3693, CVE-2018-5390 and CVE-2018-7566.
- The patch for CVE-2017-5645 also addresses CVE-2020-9488.
- The patch for CVE-2018-11058 also addresses CVE-2016-0701, CVE-2016-2183, CVE-2016-6306, CVE-2016-8610, CVE-2018-11054, CVE-2018-11055, CVE-2018-11056, CVE-2018-11057 and CVE-2018-15769.
- The patch for CVE-2018-1258 also addresses CVE-2018-11039, CVE-2018-11040 and CVE-2018-1257.
- The patch for CVE-2018-3639 also addresses CVE-2018-10675, CVE-2018-10872 and CVE-2018-3665.
- The patch for CVE-2019-0227 also addresses CVE-2018-8032.
- The patch for CVE-2019-10193 also addresses CVE-2019-10192.
- The patch for CVE-2019-10247 also addresses CVE-2019-10246.
- The patch for CVE-2019-12423 also addresses CVE-2019-17573.
- The patch for CVE-2019-13990 also addresses CVE-2019-5427.
- The patch for CVE-2019-16056 also addresses CVE-2019-16935.
- The patch for CVE-2019-16943 also addresses CVE-2019-16942 and CVE-2019-17531.
- The patch for CVE-2019-2729 also addresses CVE-2019-2725.
- The patch for CVE-2019-2904 also addresses CVE-2019-2094.
- The patch for CVE-2020-11022 also addresses CVE-2019-11358 and CVE-2020-11023.
- The patch for CVE-2020-11656 also addresses CVE-2020-11655, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13632 and CVE-2020-9327.
- The patch for CVE-2020-1934 also addresses CVE-2020-1927.
- The patch for CVE-2020-1938 also addresses CVE-2019-17569 and CVE-2020-1935.
- The patch for CVE-2020-1951 also addresses CVE-2020-1950.
- The patch for CVE-2020-5398 also addresses CVE-2020-5397.
- The patch for CVE-2020-7060 also addresses CVE-2020-7059.
- The patch for CVE-2020-9546 also addresses CVE-2020-10650, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-11619, CVE-2020-11620, CVE-2020-9547 and CVE-2020-9548.
Oracle Construction and Engineering Risk Matrix
This Critical Patch Update contains 20 new security patches for Oracle Construction and Engineering. 15 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE#
Product
Component
Protocol
Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req’d
User
Interact
Scope
Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2017-5645
Primavera Gateway
Admin (Apache Ant)
HTTP
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
16.2.0-16.2.11, 17.12.0-17.12.7
CVE-2020-10683
Primavera P6 Enterprise Project Portfolio Management
Web Access (dom4j)
HTTP
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
16.1.0.0-16.2.20.1, 17.1.0.0-17.12.17.1, 18.1.0.0-18.8.19, 19.12.0-19.12.6
CVE-2020-9546
Primavera Unifier
Platform (jackson-databind)
HTTP
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
16.1, 16.2, 17.7-17.12, 18.8, 19.12
CVE-2020-1945
Primavera Unifier
Core (Apache Ant)
HTTP
Yes
9.1
Network
Low
None
None
Un-
changed
High
High
None
16.1, 16.2, 17.7-17.12, 18.8, 19.12
CVE-2018-17196
Primavera P6 Enterprise Project Portfolio Management
Web Access (kafka client)
HTTP
No
8.8
Network
Low
Low
None
Un-
changed
High
High
High
19.12.0-19.12.6
CVE-2020-9484
Instantis EnterpriseTrack
Core (Apache Tomcat)
None
No
7.0
Local
High
Low
None
Un-
changed
High
High
High
17.1-17.3
CVE-2020-11022
Primavera Gateway
Admin (jQuery)
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
16.2.0-16.2.11, 17.12.0-17.12.7, 18.8.0-18.8.9, 19.12.0-19.12.4
CVE-2020-2562
Primavera Portfolio Management
Investor Module
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
16.1.0.0-16.1.5.1, 18.0.0.0-18.0.2.0, 19.0.0.0
CVE-2020-14528
Primavera Portfolio Management
Web Access
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
16.1.0.0-16.1.5.1, 18.0.0.0-18.0.2.0, 19.0.0.0
CVE-2020-14706
Primavera P6 Enterprise Project Portfolio Management
Web Access
HTTP
Yes
5.9
Network
High
None
Required
Un-
changed
High
Low
None
17.1.0.0-17.12.17.1, 18.1.0.0-18.8.19, 19.12.0-19.12.5
CVE-2020-14527
Primavera Portfolio Management
Web Access
HTTP
Yes
5.9
Network
High
None
Required
Un-
changed
High
Low
None
16.1.0.0-16.1.5.1, 18.0.0.0-18.0.2.0, 19.0.0.0
CVE-2020-14549
Primavera Portfolio Management
Web Server
HTTPS
Yes
5.9
Network
High
None
Required
Un-
changed
High
Low
None
16.1.0.0-16.1.5.1, 18.0.0.0-18.0.2.0, 19.0.0.0
CVE-2020-14618
Primavera Unifier
Mobile App
HTTPS
Yes
5.9
Network
High
None
Required
Un-
changed
High
Low
None
Prior to 20.6
CVE-2020-14617
Primavera Unifier
Platform, Mobile App
HTTPS
No
5.7
Network
Low
Low
Required
Un-
changed
High
None
None
16.1, 16.2, 17.7-17.12, 18.8, 19.12; Mobile App: Prior to 20.6
CVE-2020-14653
Primavera P6 Enterprise Project Portfolio Management
Web Access
HTTP
No
5.4
Network
Low
Low
None
Un-
changed
Low
Low
None
16.1.0.0-16.2.20.1, 17.1.0.0-17.12.17.1, 18.1.0.0-18.8.18.2
CVE-2020-14529
Primavera Portfolio Management
Investor Module
HTTP
No
5.4
Network
Low
Low
Required
Changed
Low
Low
None
16.1.0.0-16.1.5.1, 18.0.0.0-18.0.2.0, 19.0.0.0
CVE-2020-1934
Instantis EnterpriseTrack
Core (Apache HTTP Server)
HTTP
Yes
5.3
Network
Low
None
None
Un-
changed
Low
None
None
17.1-17.3
CVE-2020-14566
Primavera Portfolio Management
Web Access
HTTP
Yes
4.3
Network
Low
None
Required
Un-
changed
None
Low
None
16.1.0.0-16.1.5.1, 18.0.0.0-18.0.2.0, 19.0.0.0
CVE-2020-9488
Instantis EnterpriseTrack
Logging (Log4j)
SMTPS
Yes
3.7
Network
High
None
None
Un-
changed
Low
None
None
17.1-17.3
CVE-2020-9488
Primavera Gateway
Admin (Log4j)
SMTPS
Yes
3.7
Network
High
None
None
Un-
changed
Low
None
None
16.2.0-16.2.11, 17.12.0-17.12.7, 18.8.0-18.8.9, 19.12.0-19.12.4
Additional CVEs addressed are below:
- The patch for CVE-2017-5645 also addresses CVE-2020-1945.
- The patch for CVE-2018-17196 also addresses CVE-2017-12610 and CVE-2018-1288.
- The patch for CVE-2020-10683 also addresses CVE-2018-1000632.
- The patch for CVE-2020-11022 also addresses CVE-2020-11023.
- The patch for CVE-2020-1934 also addresses CVE-2020-1927.
- The patch for CVE-2020-9484 also addresses CVE-2019-17569, CVE-2020-1935 and CVE-2020-1938.
- The patch for CVE-2020-9546 also addresses CVE-2020-10650, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-11619, CVE-2020-11620, CVE-2020-9547 and CVE-2020-9548.
Oracle E-Business Suite Risk Matrix
This Critical Patch Update contains 30 new security patches for the Oracle E-Business Suite. 24 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security updates are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle recommends that customers apply the July 2020 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Release 12 Critical Patch Update Knowledge Document (July 2020), My Oracle Support Note 2679563.1.
CVE#
Product
Component
Protocol
Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req’d
User
Interact
Scope
Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2020-14598
Oracle CRM Gateway for Mobile Devices
Setup of Mobile Applications
HTTP
Yes
9.1
Network
Low
None
None
Un-
changed
High
High
None
12.1.1-12.1.3
CVE-2020-14599
Oracle CRM Gateway for Mobile Devices
Setup of Mobile Applications
HTTP
Yes
9.1
Network
Low
None
None
Un-
changed
High
High
None
12.1.1-12.1.3
CVE-2020-14658
Oracle Marketing
Marketing Administration
HTTP
Yes
9.1
Network
Low
None
None
Un-
changed
High
High
None
12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-14665
Oracle Trade Management
Invoice
HTTP
Yes
9.1
Network
Low
None
None
Un-
changed
High
High
None
12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-14670
Oracle Advanced Outbound Telephony
Settings
HTTP
Yes
8.2
Network
Low
None
Required
Changed
High
Low
None
12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-14671
Oracle Advanced Outbound Telephony
User Interface
HTTP
Yes
8.2
Network
Low
None
Required
Changed
High
Low
None
12.1.1-12.1.3
CVE-2020-14534
Oracle Applications Framework
Popups
HTTP
Yes
8.2
Network
Low
None
Required
Changed
High
Low
None
12.2.9
CVE-2020-14688
Oracle Common Applications
CRM User Management Framework
HTTP
Yes
8.2
Network
Low
None
Required
Changed
High
Low
None
12.1.3, 12.2.3-12.2.9
CVE-2020-14660
Oracle CRM Technical Foundation
Preferences
HTTP
Yes
8.2
Network
Low
None
Required
Changed
High
Low
None
12.1.3, 12.2.3-12.2.9
CVE-2020-14682
Oracle Depot Repair
Estimate and Actual Charges
HTTP
Yes
8.2
Network
Low
None
Required
Changed
High
Low
None
12.1.1-12.1.3
CVE-2020-14668
Oracle E-Business Intelligence
DBI Setups
HTTP
Yes
8.2
Network
Low
None
Required
Changed
High
Low
None
12.1.1-12.1.3
CVE-2020-14681
Oracle E-Business Intelligence
DBI Setups
HTTP
Yes
8.2
Network
Low
None
Required
Changed
High
Low
None
12.1.1-12.1.3
CVE-2020-14666
Oracle Email Center
Message Display
HTTP
Yes
8.2
Network
Low
None
Required
Changed
High
Low
None
12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-14596
Oracle iStore
Address Book
HTTP
Yes
8.2
Network
Low
None
Required
Changed
High
Low
None
12.1.1-12.1.3
CVE-2020-14582
Oracle iStore
User Registration
HTTP
Yes
8.2
Network
Low
None
Required
Changed
High
Low
None
12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-14686
Oracle iSupport
Others
HTTP
Yes
8.2
Network
Low
None
Required
Changed
High
Low
None
12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-14719
Oracle Internet Expenses
Mobile Expenses Admin Utilities
HTTP
No
7.7
Network
Low
Low
None
Changed
None
High
None
12.2.4-12.2.9
CVE-2020-14720
Oracle Internet Expenses
Mobile Expenses Admin Utilities
HTTP
No
7.7
Network
Low
Low
None
Changed
High
None
None
12.2.4-12.2.9
CVE-2020-14610
Oracle Applications Framework
Attachments / File Upload
HTTP
No
7.6
Network
Low
Low
Required
Changed
High
Low
None
12.2.9
CVE-2020-14657
Oracle CRM Technical Foundation
Preferences
HTTP
No
7.6
Network
Low
Low
Required
Changed
High
Low
None
12.1.3, 12.2.3-12.2.9
CVE-2020-14667
Oracle CRM Technical Foundation
Preferences
HTTP
No
7.6
Network
Low
Low
Required
Changed
High
Low
None
12.1.3, 12.2.3-12.2.9
CVE-2020-14679
Oracle CRM Technical Foundation
Preferences
HTTP
Yes
7.5
Network
Low
None
None
Un-
changed
None
None
High
12.1.3, 12.2.3-12.2.9
CVE-2020-14635
Oracle Application Object Library
Logging
HTTP
Yes
5.3
Network
Low
None
None
Un-
changed
Low
None
None
12.2.5-12.2.9
CVE-2020-14554
Oracle Application Object Library
Diagnostics
HTTP
Yes
4.7
Network
Low
None
Required
Changed
None
Low
None
12.1.3, 12.2.3-12.2.8
CVE-2020-14716
Oracle Common Applications
CRM User Management Framework
HTTP
Yes
4.7
Network
Low
None
Required
Changed
None
Low
None
12.1.3, 12.2.3-12.2.9
CVE-2020-14717
Oracle Common Applications
CRM User Management Framework
HTTP
Yes
4.7
Network
Low
None
Required
Changed
None
Low
None
12.1.3, 12.2.3-12.2.9
CVE-2020-14659
Oracle CRM Technical Foundation
Preferences
HTTP
Yes
4.7
Network
Low
None
Required
Changed
None
Low
None
12.1.3, 12.2.3-12.2.9
CVE-2020-14661
Oracle CRM Technical Foundation
Preferences
HTTP
Yes
4.7
Network
Low
None
Required
Changed
None
Low
None
12.1.3, 12.2.3-12.2.9
CVE-2020-14555
Oracle Marketing
Marketing Administration
HTTP
Yes
4.7
Network
Low
None
Required
Changed
None
Low
None
12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-14590
Oracle Applications Framework
Page Request
HTTP
No
2.7
Network
Low
High
None
Un-
changed
Low
None
None
12.1.3, 12.2.3-12.2.9
Oracle Enterprise Manager Risk Matrix
This Critical Patch Update contains 14 new security patches for Oracle Enterprise Manager. 10 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these patches are applicable to client-only installations, i.e., installations that do not have Oracle Enterprise Manager installed. The English text form of this Risk Matrix can be found here.
Oracle Enterprise Manager products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle Enterprise Manager products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security updates are not listed in the Oracle Enterprise Manager risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle Enterprise Manager products, Oracle recommends that customers apply the July 2020 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Enterprise Manager. For information on what patches need to be applied to your environments, refer to Critical Patch Update July 2020 Patch Availability Document for Oracle Products, My Oracle Support Note 2664876.1.
CVE#
Product
Component
Protocol
Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req’d
User
Interact
Scope
Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2020-9546
Enterprise Manager Base Platform
Enterprise Manager Install (jackson-databind)
HTTP
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
13.3.0.0, 13.4.0.0
CVE-2017-5645
Oracle Application Testing Suite
Load Testing for Web Apps (Log4j)
Multiple
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
13.3.0.1
CVE-2020-1945
Enterprise Manager Ops Center
Networking (Apache Ant)
HTTP
Yes
9.1
Network
Low
None
None
Un-
changed
High
High
None
12.4.0.0
CVE-2019-0227
Enterprise Manager for Fusion Middleware
Coherence Management (Apache Axis)
HTTP
Yes
8.8
Adjacent
Network
Low
None
None
Un-
changed
High
High
High
12.1.0.5
CVE-2018-11776
Enterprise Manager Base Platform
Reporting Framework (Apache Struts 2)
HTTP
Yes
8.1
Network
High
None
None
Un-
changed
High
High
High
13.3.0.0, 13.4.0.0
CVE-2019-0227
Enterprise Manager Base Platform
Application Service Level Mgmt (Apache Axis)
HTTP
Yes
7.5
Adjacent
Network
High
None
None
Un-
changed
High
High
High
12.1.0.5, 13.3.0.0
CVE-2020-7595
Oracle Real User Experience Insight
APM Mesh (libxml2)
HTTP
Yes
7.5
Network
Low
None
None
Un-
changed
None
None
High
13.3.1.0
CVE-2020-2982
Enterprise Manager Base Platform
Enterprise Config Management
HTTP
No
7.1
Network
Low
Low
None
Un-
changed
High
Low
None
13.3.0.0, 13.4.0.0
CVE-2020-2984
Oracle Configuration Manager
Discovery and collection script
HTTP
No
7.1
Network
Low
Low
None
Un-
changed
High
Low
None
12.1.2.0.6
CVE-2020-2983
Oracle Data Masking and Subsetting
Data Masking
HTTP
No
7.1
Network
Low
Low
None
Un-
changed
High
Low
None
13.3.0.0, 13.4.0.0
CVE-2019-17091
Oracle Application Testing Suite
Load Testing for Web Apps (Eclipse Mojarra)
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
13.2.0.1, 13.3.0.1
CVE-2019-12415
Enterprise Manager Base Platform
Application Service Level Mgmt (Apache POI)
None
No
5.5
Local
Low
Low
None
Un-
changed
High
None
None
12.1.0.5, 13.3.0.0, 13.4.0.0
CVE-2020-1934
Enterprise Manager Ops Center
Networking (Apache HTTP Server)
HTTP
Yes
5.3
Network
Low
None
None
Un-
changed
Low
None
None
12.4.0.0
CVE-2019-1551
Enterprise Manager Ops Center
Networking (OpenSSL)
HTTPS
Yes
5.3
Network
Low
None
None
Un-
changed
Low
None
None
12.4.0.0
Additional CVEs addressed are below:
- The patch for CVE-2019-0227 also addresses CVE-2018-8032.
- The patch for CVE-2019-12415 also addresses CVE-2017-12626.
- The patch for CVE-2019-1551 also addresses CVE-2020-1967.
- The patch for CVE-2020-1934 also addresses CVE-2019-0220, CVE-2019-10081, CVE-2019-10082, CVE-2019-10092, CVE-2019-10097 and CVE-2020-1927.
- The patch for CVE-2020-1945 also addresses CVE-2017-5645.
- The patch for CVE-2020-7595 also addresses CVE-2019-19956 and CVE-2019-20388.
- The patch for CVE-2020-9546 also addresses CVE-2020-10650, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-11619, CVE-2020-11620, CVE-2020-9547 and CVE-2020-9548.
Oracle Financial Services Applications Risk Matrix
This Critical Patch Update contains 38 new security patches for Oracle Financial Services Applications. 26 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE#
Product
Component
Protocol
Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req’d
User
Interact
Scope
Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2019-13990
Oracle Banking Payments
Core (Terracotta Quartz Scheduler)
HTTP
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
14.1.0-14.4.0
CVE-2020-9546
Oracle Banking Platform
Framework (jackson-databind)
HTTP
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
2.4.0-2.9.0
CVE-2019-2904
Oracle Financial Services Lending and Leasing
Core (Application Development Framework)
HTTP
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
12.5.0, 14.1.0-14.2.0
CVE-2017-5645
Oracle Financial Services Lending and Leasing
Core (Log4j)
Multiple
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
12.5.0, 14.1.0-14.8.0
CVE-2017-15708
Oracle Financial Services Market Risk Measurement and Management
User Interface (Apache Synapse)
HTTP
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
8.0.6, 8.0.8
CVE-2019-13990
Oracle FLEXCUBE Investor Servicing
Infrastructure (Terracotta Quartz Scheduler)
HTTP
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
12.1.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0
CVE-2019-13990
Oracle FLEXCUBE Private Banking
Core (Terracotta Quartz Scheduler)
HTTP
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
12.0.0, 12.1.0
CVE-2019-11358
Oracle Insurance Accounting Analyzer
User Interface (jQuery)
HTTP
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
8.0.6-8.0.8
CVE-2020-1945
Oracle Financial Services Analytical Applications Infrastructure
Infrastructure (Apache Ant)
HTTP
Yes
9.1
Network
Low
None
None
Un-
changed
High
High
None
8.0.6-8.1.0
CVE-2020-1945
Oracle FLEXCUBE Investor Servicing
Infrastructure (Apache Ant)
HTTP
Yes
9.1
Network
Low
None
None
Un-
changed
High
High
None
12.1.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0
CVE-2020-1945
Oracle FLEXCUBE Private Banking
Utilities (Apache Ant)
HTTP
Yes
9.1
Network
Low
None
None
Un-
changed
High
High
None
12.0.0, 12.1.0
CVE-2020-14569
Oracle FLEXCUBE Investor Servicing
Infrastructure
HTTP
No
8.1
Network
Low
Low
None
Un-
changed
High
High
None
12.1.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0
CVE-2020-1945
Oracle Banking Enterprise Collections
Installer (Apache Ant)
None
No
7.7
Local
Low
None
None
Un-
changed
High
High
None
2.7.0-2.9.0
CVE-2020-1945
Oracle Banking Platform
Installer (Apache Ant)
None
No
7.7
Local
Low
None
None
Un-
changed
High
High
None
2.4.0-2.9.0
CVE-2019-0227
Oracle Financial Services Compliance Regulatory Reporting
Web Service to Regulatory Report (Apache Axis)
HTTP
Yes
7.5
Adjacent
Network
High
None
None
Un-
changed
High
High
High
8.0.6-8.0.8
CVE-2019-12402
Oracle FLEXCUBE Investor Servicing
Infrastructure (Apache Commons Compress)
HTTP
Yes
7.5
Network
Low
None
None
Un-
changed
None
None
High
12.1.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0
CVE-2019-12423
Oracle FLEXCUBE Private Banking
Core (Apache CXF)
HTTP
Yes
7.5
Network
Low
None
None
Un-
changed
High
None
None
12.0.0, 12.1.0
CVE-2019-0188
Oracle FLEXCUBE Private Banking
Core (Apache Camel)
HTTP
Yes
7.5
Network
Low
None
None
Un-
changed
High
None
None
12.0.0, 12.1.0
CVE-2019-17359
Oracle FLEXCUBE Private Banking
Core (Bouncy Castle Java Library)
TLS
Yes
7.5
Network
Low
None
None
Un-
changed
None
None
High
12.0.0, 12.1.0
CVE-2020-14602
Oracle Financial Services Analytical Applications Infrastructure
Infrastructure
HTTP
No
7.1
Network
Low
Low
None
Un-
changed
Low
High
None
8.0.6-8.1.0
CVE-2020-14691
Oracle Financial Services Liquidity Risk Management
User Interface
HTTP
No
7.1
Network
Low
Low
None
Un-
changed
Low
High
None
8.0.6
CVE-2020-14605
Oracle Financial Services Analytical Applications Infrastructure
Infrastructure
HTTP
No
6.5
Network
Low
Low
None
Un-
changed
None
High
None
8.0.6-8.1.0
CVE-2020-14685
Oracle Financial Services Analytical Applications Infrastructure
Infrastructure
HTTP
No
6.5
Network
Low
Low
None
Un-
changed
None
High
None
8.0.6-8.1.0
CVE-2020-14692
Oracle Financial Services Loan Loss Forecasting and Provisioning
User Interface
HTTP
No
6.5
Network
Low
Low
None
Un-
changed
None
High
None
8.0.6-8.0.8
CVE-2020-14693
Oracle Insurance Accounting Analyzer
User Interface
HTTP
No
6.5
Network
Low
Low
None
Un-
changed
None
High
None
8.0.6-8.0.9
CVE-2020-14662
Oracle Financial Services Analytical Applications Infrastructure
Infrastructure
HTTP
No
6.3
Network
Low
Low
None
Un-
changed
Low
Low
Low
8.0.6-8.1.0
CVE-2020-11022
Oracle Banking Enterprise Collections
User Interface (jQuery)
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
2.7.0-2.8.0
CVE-2020-11022
Oracle Banking Platform
User Interface (jQuery)
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
2.4.0-2.10.0
CVE-2020-14601
Oracle Financial Services Analytical Applications Infrastructure
Infrastructure
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
8.0.6-8.1.0
CVE-2020-14615
Oracle Financial Services Analytical Applications Infrastructure
Infrastructure
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
8.0.6-8.1.0
CVE-2020-11022
Oracle Financial Services Regulatory Reporting for De Nederlandsche Bank
User Interface (jQuery)
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
8.0.4
CVE-2019-12415
Oracle Banking Payments
Core (Apache POI)
None
No
5.5
Local
Low
Low
None
Un-
changed
High
None
None
14.1.0-14.4.0
CVE-2019-12415
Oracle FLEXCUBE Private Banking
Core (Apache POI)
None
No
5.5
Local
Low
Low
None
Un-
changed
High
None
None
12.0.0, 12.1.0
CVE-2020-14603
Oracle Financial Services Analytical Applications Infrastructure
Infrastructure
HTTP
Yes
5.3
Network
Low
None
None
Un-
changed
Low
None
None
8.0.6-8.1.0
CVE-2020-14604
Oracle Financial Services Analytical Applications Infrastructure
Infrastructure
HTTP
Yes
5.3
Network
Low
None
None
Un-
changed
Low
None
None
8.0.6-8.1.0
CVE-2020-14684
Oracle Financial Services Analytical Applications Infrastructure
Infrastructure
HTTP
Yes
4.3
Network
Low
None
Required
Un-
changed
None
Low
None
8.0.6-8.1.0
CVE-2020-9488
Oracle Banking Platform
Collections (Log4j)
SMTPS
Yes
3.7
Network
High
None
None
Un-
changed
Low
None
None
2.4.0-2.10.0
CVE-2020-9488
Oracle FLEXCUBE Investor Servicing
Infrastructure (Log4j)
SMTPS
Yes
3.7
Network
High
None
None
Un-
changed
Low
None
None
12.1.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0
Additional CVEs addressed are below:
- The patch for CVE-2017-5645 also addresses CVE-2020-9488.
- The patch for CVE-2019-0227 also addresses CVE-2018-8032.
- The patch for CVE-2019-12423 also addresses CVE-2019-17573.
- The patch for CVE-2019-13990 also addresses CVE-2019-12402 and CVE-2019-5427.
- The patch for CVE-2020-11022 also addresses CVE-2020-11023.
- The patch for CVE-2020-1945 also addresses CVE-2017-5645.
- The patch for CVE-2020-9546 also addresses CVE-2020-10650, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-11619, CVE-2020-11620, CVE-2020-9547 and CVE-2020-9548.
Oracle Food and Beverage Applications Risk Matrix
This Critical Patch Update contains 4 new security patches for Oracle Food and Beverage Applications. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE#
Product
Component
Protocol
Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req’d
User
Interact
Scope
Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2020-14543
Oracle Hospitality Reporting and Analytics
Installation
None
No
7.3
Local
Low
Low
Required
Un-
changed
High
High
High
9.1.0
CVE-2020-14561
Oracle Hospitality Reporting and Analytics
Installation
None
No
7.3
Local
Low
Low
Required
Un-
changed
High
High
High
9.1.0
CVE-2020-14594
Oracle Hospitality Reporting and Analytics
Inventory Integration
None
No
6.5
Local
Low
High
Required
Un-
changed
High
High
High
9.1.0
CVE-2020-14616
Oracle Hospitality Reporting and Analytics
Reporting
HTTP
No
2.7
Network
Low
High
None
Un-
changed
Low
None
None
9.1.0
Oracle Fusion Middleware Risk Matrix
This Critical Patch Update contains 52 new security patches for Oracle Fusion Middleware. 48 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security updates are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle recommends that customers apply the Critical Patch Update July 2020 to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update July 2020 Patch Availability Document for Oracle Products, My Oracle Support Note 2664876.1.
CVE#
Product
Component
Protocol
Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req’d
User
Interact
Scope
Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2017-5645
Oracle Endeca Information Discovery Studio
Studio (Apache Ant)
HTTP
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
3.2.0
CVE-2019-17531
Oracle WebCenter Portal
Security Framework (jackson-databind)
HTTP
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
12.2.1.3.0, 12.2.1.4.0
CVE-2020-9546
Oracle WebLogic Server
Centralized Thirdparty Jars (jackson-databind)
HTTP
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
12.2.1.3.0, 12.2.1.4.0
CVE-2018-11058
Oracle WebLogic Server
Security Service (RSA BSAFE)
HTTPS
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-14625
Oracle WebLogic Server
Core
IIOP, T3
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2020-14644
Oracle WebLogic Server
Core
IIOP, T3
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2020-14645
Oracle WebLogic Server
Core
IIOP, T3
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2020-14687
Oracle WebLogic Server
Core
IIOP, T3
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2017-5645
Oracle WebLogic Server
Centralized Thirdparty Jars (Log4j)
Multiple
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2017-5645
Oracle WebLogic Server
Console (Log4j)
Multiple
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2020-1945
Oracle Endeca Information Discovery Studio
Studio (Apache Ant)
HTTP
Yes
9.1
Network
Low
None
None
Un-
changed
High
High
None
3.2.0
CVE-2020-1945
Oracle Enterprise Repository
Security Subsystem (Apache Ant)
HTTP
Yes
9.1
Network
Low
None
None
Un-
changed
High
High
None
11.1.1.7.0
CVE-2020-8112
Oracle Outside In Technology
Installation (OpenJPEG)
HTTP
Yes
8.8
Network
Low
None
Required
Un-
changed
High
High
High
8.5.5, 8.5.4
See Note 1
CVE-2020-14609
Oracle Business Intelligence Enterprise Edition
Analytics Web Answers
HTTP
Yes
8.6
Network
Low
None
None
Un-
changed
High
Low
Low
5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-14611
Oracle WebCenter Portal
Composer
HTTP
Yes
8.6
Network
Low
None
None
Un-
changed
Low
High
Low
12.2.1.3.0, 12.2.1.4.0
CVE-2020-14584
Oracle BI Publisher
BI Publisher Security
HTTP
Yes
8.2
Network
Low
None
Required
Changed
High
Low
None
12.2.1.3.0, 12.2.1.4.0
CVE-2020-14585
Oracle BI Publisher
Mobile Service
HTTP
Yes
8.2
Network
Low
None
Required
Changed
High
Low
None
11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-14690
Oracle Business Intelligence Enterprise Edition
Analytics Actions
HTTP
Yes
8.2
Network
Low
None
Required
Changed
High
Low
None
5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-14608
Oracle Fusion Middleware MapViewer
Tile Server
HTTP
Yes
8.2
Network
Low
None
None
Un-
changed
Low
High
None
12.2.1.3.0
CVE-2020-14723
Oracle Help Technologies
Web UIX
HTTP
Yes
8.2
Network
Low
None
Required
Changed
High
Low
None
11.1.1.9.0, 12.2.1.3.0
CVE-2020-14588
Oracle WebLogic Server
Web Container
HTTP
Yes
8.2
Network
Low
None
None
Un-
changed
Low
High
None
10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2020-14626
Oracle Business Intelligence Enterprise Edition
Analytics Web General
HTTP
Yes
8.1
Network
High
None
None
Un-
changed
High
High
High
5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-14565
Oracle Unified Directory
Security
HTTP
No
8.1
Network
Low
High
Required
Changed
None
High
High
11.1.2.3.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2019-17359
Oracle Business Process Management Suite
Runtime Engine (Bouncy Castle Java Library)
HTTPS
Yes
7.5
Network
Low
None
None
Un-
changed
None
None
High
12.2.1.3.0, 12.2.1.4.0
CVE-2020-14642
Oracle Coherence
CacheStore
HTTP
Yes
7.5
Network
Low
None
None
Un-
changed
None
None
High
3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2019-0227
Oracle WebCenter Portal
WebCenter Spaces Application (Apache Axis)
HTTP
Yes
7.5
Adjacent
Network
High
None
None
Un-
changed
High
High
High
12.2.1.3.0
CVE-2020-14639
Oracle WebLogic Server
Sample apps
HTTP
Yes
7.5
Network
Low
None
None
Un-
changed
High
None
None
12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2020-5398
Oracle WebLogic Server
Sample apps (Spring Framework)
HTTP
Yes
7.5
Network
High
None
Required
Un-
changed
High
High
High
12.2.1.3.0, 12.2.1.4.0
CVE-2020-14589
Oracle WebLogic Server
Web Container
HTTP
Yes
7.5
Network
Low
None
None
Un-
changed
None
None
High
10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2020-2967
Oracle WebLogic Server
Web Services
IIOP, T3
Yes
7.5
Network
Low
None
None
Un-
changed
High
None
None
10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2020-14696
Oracle BI Publisher
Layout Templates
HTTP
Yes
7.2
Network
Low
None
None
Changed
Low
Low
None
11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-14571
Oracle BI Publisher
Mobile Service
HTTP
Yes
7.2
Network
Low
None
None
Changed
Low
Low
None
11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-14570
Oracle BI Publisher
Mobile Service
HTTP
Yes
7.1
Network
Low
None
Required
Un-
changed
High
Low
None
11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-14552
Oracle WebCenter Portal
Security Framework
HTTP
No
6.8
Network
Low
Low
Required
Changed
High
None
None
11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-14557
Oracle WebLogic Server
Web Container
HTTP
Yes
6.8
Network
High
None
Required
Un-
changed
High
High
None
12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2020-14655
Oracle Security Service
SSL API
HTTPS
Yes
6.5
Network
High
None
None
Un-
changed
High
Low
None
11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-14652
Oracle WebLogic Server
Core
HTTP
Yes
6.5
Network
Low
None
None
Un-
changed
Low
Low
None
10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2019-14862
Oracle Business Intelligence Enterprise Edition
BI Platform Security (Knockout)
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
12.2.1.3.0, 12.2.1.4.0
CVE-2020-1941
Oracle Enterprise Repository
Security Subsystem (Apache ActiveMQ)
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
11.1.1.7.0
CVE-2020-14607
Oracle Fusion Middleware MapViewer
Tile Server
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
12.2.1.3.0, 12.2.1.4.0
CVE-2020-14613
Oracle WebCenter Sites
Advanced User Interface
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
12.2.1.3.0, 12.2.1.4.0
CVE-2020-14572
Oracle WebLogic Server
Console
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-14636
Oracle WebLogic Server
Sample apps
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2020-14637
Oracle WebLogic Server
Sample apps
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2020-14638
Oracle WebLogic Server
Sample apps
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2020-14640
Oracle WebLogic Server
Sample apps
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2020-14530
Oracle Security Service
None
HTTPS
Yes
5.9
Network
High
None
None
Un-
changed
High
None
None
11.1.1.9.0
CVE-2019-12415
Oracle WebCenter Portal
Security Framework (Apache POI)
None
No
5.5
Local
Low
Low
None
Un-
changed
High
None
None
12.2.1.3.0, 12.2.1.4.0
CVE-2020-2966
Oracle WebLogic Server
Console
HTTP
Yes
5.4
Network
Low
None
Required
Un-
changed
Low
Low
None
10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-14622
Oracle WebLogic Server
Core
HTTP
No
4.9
Network
Low
High
None
Un-
changed
High
None
None
10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2020-9488
Oracle Fusion Middleware MapViewer
Install (Log4j)
SMTPS
Yes
3.7
Network
High
None
None
Un-
changed
Low
None
None
12.2.1.3.0, 12.2.1.4.0
CVE-2020-14548
Oracle Business Intelligence Enterprise Edition
Analytics Web General
HTTP
Yes
3.4
Network
High
None
Required
Changed
Low
None
None
12.2.1.3.0, 12.2.1.4.0
Notes:
- Outside In Technology is a suite of software development kits (SDKs). The protocol and CVSS score depend on the software that uses the Outside In Technology code. The CVSS score assumes that the software passes data received over a network directly to Outside In Technology code, but if data is not received over a network the CVSS score may be lower.
Additional CVEs addressed are below:
- The patch for CVE-2017-5645 also addresses CVE-2019-17571.
- The patch for CVE-2019-0227 also addresses CVE-2018-8032.
- The patch for CVE-2019-17531 also addresses CVE-2019-16943, CVE-2019-17267, CVE-2019-20330 and CVE-2020-9546.
- The patch for CVE-2020-1945 also addresses CVE-2017-5645.
- The patch for CVE-2020-5398 also addresses CVE-2020-5397.
- The patch for CVE-2020-8112 also addresses CVE-2018-6616, CVE-2019-12973 and CVE-2020-6851.
- The patch for CVE-2020-9546 also addresses CVE-2020-10650, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-11619, CVE-2020-11620, CVE-2020-9547 and CVE-2020-9548.
Oracle GraalVM Risk Matrix
This Critical Patch Update contains 4 new security patches for Oracle GraalVM. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE#
Product
Component
Protocol
Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req’d
User
Interact
Scope
Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2019-17560
Oracle GraalVM Enterprise Edition
GraalVM Compiler (Apache NetBeans)
HTTPS
Yes
9.1
Network
Low
None
None
Un-
changed
High
High
None
19.3.2, 20.1.0
CVE-2020-14583
Oracle GraalVM Enterprise Edition
Java
Multiple
Yes
8.3
Network
High
None
Required
Changed
High
High
High
19.3.2, 20.1.0
CVE-2020-11080
Oracle GraalVM Enterprise Edition
JavaScript (Node.js)
HTTP
Yes
7.5
Network
Low
None
None
Un-
changed
None
None
High
19.3.2, 20.1.0
CVE-2020-14718
Oracle GraalVM Enterprise Edition
JVMCI
Multiple
No
7.2
Network
Low
High
None
Un-
changed
High
High
High
19.3.2, 20.1.0
Additional CVEs addressed are below:
- The patch for CVE-2019-17560 also addresses CVE-2019-17561.
- The patch for CVE-2020-11080 also addresses CVE-2020-8172.
Oracle Health Sciences Applications Risk Matrix
This Critical Patch Update contains 4 new security patches for Oracle Health Sciences Applications. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE#
Product
Component
Protocol
Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req’d
User
Interact
Scope
Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2020-1938
Oracle Health Sciences Empirica Inspections
Web server (Apache Tomcat)
Apache JServ Protocol (AJP)
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
1.0.1.2
CVE-2020-1938
Oracle Health Sciences Empirica Signal
Web server (Apache Tomcat)
Apache JServ Protocol (AJP)
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
7.3.3
CVE-2020-5398
Oracle Healthcare Master Person Index
Master Data Management (Spring Framework)
HTTP
Yes
7.5
Network
High
None
Required
Un-
changed
High
High
High
4.0.2
CVE-2020-11022
Oracle Healthcare Translational Research
Cohort Explorer (jQuery)
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
3.2.1, 3.3.1, 3.3.2, 3.4.0
Additional CVEs addressed are below:
- The patch for CVE-2020-11022 also addresses CVE-2020-11023.
- The patch for CVE-2020-1938 also addresses CVE-2019-17569 and CVE-2020-1935.
- The patch for CVE-2020-5398 also addresses CVE-2020-5397.
Oracle Hospitality Applications Risk Matrix
This Critical Patch Update contains 1 new security patch for Oracle Hospitality Applications. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE#
Product
Component
Protocol
Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req’d
User
Interact
Scope
Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2020-1938
Oracle Hospitality Guest Access
Base (Apache Tomcat)
Apache JServ Protocol (AJP)
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
4.2.0, 4.2.1
Additional CVEs addressed are below:
- The patch for CVE-2020-1938 also addresses CVE-2019-17569 and CVE-2020-1935.
Oracle Hyperion Risk Matrix
This Critical Patch Update contains 3 new security patches for Oracle Hyperion. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE#
Product
Component
Protocol
Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req’d
User
Interact
Scope
Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2020-14546
Hyperion Financial Close Management
Close Manager
HTTP
No
4.2
Network
High
High
Required
Un-
changed
None
High
None
11.1.2.4
CVE-2020-14560
Oracle Hyperion BI+
UI and Visualization
HTTP
No
4.2
Network
High
High
Required
Un-
changed
High
None
None
11.1.2.4
CVE-2020-14541
Hyperion Financial Close Management
Close Manager
HTTP
No
2.0
Network
High
High
Required
Un-
changed
None
Low
None
11.1.2.4
Oracle iLearning Risk Matrix
This Critical Patch Update contains 1 new security patch for Oracle iLearning. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE#
Product
Component
Protocol
Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req’d
User
Interact
Scope
Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2020-14595
Oracle iLearning
Assessment Manager
HTTP
Yes
8.2
Network
Low
None
None
Un-
changed
High
None
Low
6.1, 6.1.1
Oracle Insurance Applications Risk Matrix
This Critical Patch Update contains 6 new security patches for Oracle Insurance Applications. 4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE#
Product
Component
Protocol
Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req’d
User
Interact
Scope
Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2017-12626
Oracle Insurance Policy Administration J2EE
Architecture (Apache POI)
HTTP
Yes
7.5
Network
Low
None
None
Un-
changed
None
None
High
10.2.0, 10.2.4
CVE-2020-5398
Oracle Insurance Policy Administration J2EE
Architecture (Spring Framework)
HTTP
Yes
7.5
Network
High
None
Required
Un-
changed
High
High
High
10.2.0, 10.2.4, 11.0.2, 11.1.0, 11.2.0
CVE-2020-5398
Oracle Insurance Rules Palette
Architecture (Spring Framework)
HTTP
Yes
7.5
Network
High
None
Required
Un-
changed
High
High
High
10.2.0, 10.2.4, 11.0.2, 11.1.0, 11.2.0
CVE-2019-12415
Oracle Insurance Policy Administration J2EE
Architecture (Apache POI)
None
No
5.5
Local
Low
Low
None
Un-
changed
High
None
None
11.0.2, 11.1.0, 11.2.0
CVE-2019-12415
Oracle Insurance Rules Palette
Architecture (Apache POI)
None
No
5.5
Local
Low
Low
None
Un-
changed
High
None
None
10.2.0, 10.2.4, 11.0.2, 11.1.0, 11.2.0
CVE-2020-9488
Oracle Insurance Data Gateway
Security (Log4j)
SMTPS
Yes
3.7
Network
High
None
None
Un-
changed
Low
None
None
1.0
Additional CVEs addressed are below:
- The patch for CVE-2019-12415 also addresses CVE-2017-12626.
- The patch for CVE-2020-5398 also addresses CVE-2018-15756 and CVE-2020-5397.
Oracle Java SE Risk Matrix
This Critical Patch Update contains 11 new security patches for Oracle Java SE. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE#
Product
Component
Protocol
Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req’d
User
Interact
Scope
Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2020-14664
Java SE
JavaFX
Multiple
Yes
8.3
Network
High
None
Required
Changed
High
High
High
Java SE: 8u251
See Note 1
CVE-2020-14583
Java SE, Java SE Embedded
Libraries
Multiple
Yes
8.3
Network
High
None
Required
Changed
High
High
High
Java SE: 7u261, 8u251, 11.0.7, 14.0.1; Java SE Embedded: 8u251
See Note 1
CVE-2020-14593
Java SE, Java SE Embedded
2D
Multiple
Yes
7.4
Network
Low
None
Required
Changed
None
High
None
Java SE: 7u261, 8u251, 11.0.7, 14.0.1; Java SE Embedded: 8u251
See Note 1
CVE-2020-14562
Java SE
ImageIO
Multiple
Yes
5.3
Network
Low
None
None
Un-
changed
None
None
Low
Java SE: 11.0.7, 14.0.1
See Note 1
CVE-2020-14621
Java SE, Java SE Embedded
JAXP
Multiple
Yes
5.3
Network
Low
None
None
Un-
changed
None
Low
None
Java SE: 7u261, 8u251, 11.0.7, 14.0.1; Java SE Embedded: 8u251
See Note 2
CVE-2020-14556
Java SE, Java SE Embedded
Libraries
Multiple
Yes
4.8
Network
High
None
None
Un-
changed
Low
Low
None
Java SE: 8u251, 11.0.7, 14.0.1; Java SE Embedded: 8u251
See Note 3
CVE-2020-14573
Java SE
Hotspot
Multiple
Yes
3.7
Network
High
None
None
Un-
changed
None
Low
None
Java SE: 11.0.7, 14.0.1
See Note 3
CVE-2020-14581
Java SE, Java SE Embedded
2D
Multiple
Yes
3.7
Network
High
None
None
Un-
changed
Low
None
None
Java SE: 8u251, 11.0.7, 14.0.1; Java SE Embedded: 8u251
See Note 3
CVE-2020-14578
Java SE, Java SE Embedded
Libraries
Multiple
Yes
3.7
Network
High
None
None
Un-
changed
None
None
Low
Java SE: 7u261, 8u251; Java SE Embedded: 8u251
See Note 3
CVE-2020-14579
Java SE, Java SE Embedded
Libraries
Multiple
Yes
3.7
Network
High
None
None
Un-
changed
None
None
Low
Java SE: 7u261, 8u251; Java SE Embedded: 8u251
See Note 3
CVE-2020-14577
Java SE, Java SE Embedded
JSSE
TLS
Yes
3.7
Network
High
None
None
Un-
changed
Low
None
None
Java SE: 7u261, 8u251, 11.0.7, 14.0.1; Java SE Embedded: 8u251
See Note 3
Notes:
- This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
- This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service.
- Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.
Oracle JD Edwards Risk Matrix
This Critical Patch Update contains 6 new security patches for Oracle JD Edwards. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE#
Product
Component
Protocol
Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req’d
User
Interact
Scope
Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2020-9546
JD Edwards EnterpriseOne Orchestrator
E1 IOT Orchestrator Security (jackson-databind)
HTTP
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
Prior to 9.2.4.2
CVE-2020-9546
JD Edwards EnterpriseOne Tools
EnterpriseOne Mobility Sec (jackson-databind)
HTTP
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
Prior to 9.2.4.2
CVE-2020-9546
JD Edwards EnterpriseOne Tools
Monitoring and Diagnostics (jackson-databind)
HTTP
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
Prior to 9.2.4.2
CVE-2020-9546
JD Edwards EnterpriseOne Tools
Web Runtime (jackson-databind)
HTTP
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
Prior to 9.2.4.2
CVE-2020-9488
JD Edwards EnterpriseOne Tools
Installation SEC (Log4j)
SMTPS
Yes
3.7
Network
High
None
None
Un-
changed
Low
None
None
Prior to 9.2.3.3
CVE-2020-9488
JD Edwards EnterpriseOne Tools
Monitoring and Diagnostics (Log4j)
SMTPS
Yes
3.7
Network
High
None
None
Un-
changed
Low
None
None
Prior to 9.2.3.3
Additional CVEs addressed are below:
- The patch for CVE-2020-9546 also addresses CVE-2020-10650, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-11619, CVE-2020-11620, CVE-2020-9547 and CVE-2020-9548.
Oracle MySQL Risk Matrix
This Critical Patch Update contains 41 new security patches for Oracle MySQL. 6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE#
Product
Component
Protocol
Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req’d
User
Interact
Scope
Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2020-1938
MySQL Enterprise Monitor
Monitoring: General (Apache Tomcat)
Apache JServ Protocol (AJP)
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
4.0.12 and prior, 8.0.20 and prior
CVE-2020-1967
MySQL Connectors
Connector/C++ (OpenSSL)
TLS
Yes
7.5
Network
Low
None
None
Un-
changed
None
None
High
8.0.20 and prior
CVE-2020-1967
MySQL Connectors
Connector/ODBC (OpenSSL)
TLS
Yes
7.5
Network
Low
None
None
Un-
changed
None
None
High
8.0.20 and prior
CVE-2020-5398
MySQL Enterprise Monitor
Monitoring: General (Spring Framework)
HTTPS
Yes
7.5
Network
High
None
Required
Un-
changed
High
High
High
4.0.12 and prior, 8.0.20 and prior
CVE-2020-1967
MySQL Server
Server: Security: Encryption (OpenSSL)
MySQL Protocol
Yes
7.5
Network
Low
None
None
Un-
changed
None
None
High
5.6.48 and prior, 5.7.30 and prior, 8.0.20 and prior
CVE-2020-14663
MySQL Server
Server: Security: Privileges
MySQL Protocol
No
7.2
Network
Low
High
None
Un-
changed
High
High
High
8.0.20 and prior
CVE-2020-14678
MySQL Server
Server: Security: Privileges
MySQL Protocol
No
7.2
Network
Low
High
None
Un-
changed
High
High
High
8.0.20 and prior
CVE-2020-14697
MySQL Server
Server: Security: Privileges
MySQL Protocol
No
7.2
Network
Low
High
None
Un-
changed
High
High
High
8.0.20 and prior
CVE-2020-14591
MySQL Server
Server: Audit Plug-in
MySQL Protocol
No
6.5
Network
Low
Low
None
Un-
changed
None
None
High
8.0.20 and prior
CVE-2020-14539
MySQL Server
Server: Optimizer
MySQL Protocol
No
6.5
Network
Low
Low
None
Un-
changed
None
None
High
5.6.48 and prior, 5.7.30 and prior, 8.0.20 and prior
CVE-2020-14680
MySQL Server
Server: Optimizer
MySQL Protocol
No
6.5
Network
Low
Low
None
Un-
changed
None
None
High
8.0.20 and prior
CVE-2020-14619
MySQL Server
Server: Parser
MySQL Protocol
No
6.5
Network
Low
Low
None
Un-
changed
None
None
High
8.0.20 and prior
CVE-2020-14576
MySQL Server
Server: UDF
MySQL Protocol
No
6.5
Network
Low
Low
None
Un-
changed
None
None
High
5.7.30 and prior, 8.0.20 and prior
CVE-2020-14643
MySQL Server
Server: Security: Roles
MySQL Protocol
No
5.5
Network
Low
High
None
Un-
changed
None
Low
High
8.0.20 and prior
CVE-2020-14651
MySQL Server
Server: Security: Roles
MySQL Protocol
No
5.5
Network
Low
High
None
Un-
changed
None
Low
High
8.0.20 and prior
CVE-2020-14550
MySQL Client
C API
MySQL Protocol
No
5.3
Network
High
Low
None
Un-
changed
None
None
High
5.6.48 and prior, 5.7.30 and prior, 8.0.20 and prior
CVE-2019-1551
MySQL Enterprise Monitor
Monitoring: General (OpenSSL)
HTTPS
Yes
5.3
Network
Low
None
None
Un-
changed
Low
None
None
4.0.12 and prior, 8.0.20 and prior
CVE-2020-14568
MySQL Server
InnoDB
MySQL Protocol
No
4.9
Network
Low
High
None
Un-
changed
None
None
High
8.0.20 and prior
CVE-2020-14623
MySQL Server
InnoDB
MySQL Protocol
No
4.9
Network
Low
High
None
Un-
changed
None
None
High
8.0.20 and prior
CVE-2020-14540
MySQL Server
Server: DML
MySQL Protocol
No
4.9
Network
Low
High
None
Un-
changed
None
None
High
5.7.30 and prior, 8.0.20 and prior
CVE-2020-14575
MySQL Server
Server: DML
MySQL Protocol
No
4.9
Network
Low
High
None
Un-
changed
None
None
High
8.0.20 and prior
CVE-2020-14620
MySQL Server
Server: DML
MySQL Protocol
No
4.9
Network
Low
High
None
Un-
changed
None
None
High
8.0.20 and prior
CVE-2020-14624
MySQL Server
Server: JSON
MySQL Protocol
No
4.9
Network
Low
High
None
Un-
changed
None
None
High
8.0.20 and prior
CVE-2020-14656
MySQL Server
Server: Locking
MySQL Protocol
No
4.9
Network
Low
High
None
Un-
changed
None
None
High
8.0.20 and prior
CVE-2020-14547
MySQL Server
Server: Optimizer
MySQL Protocol
No
4.9
Network
Low
High
None
Un-
changed
None
None
High
5.7.30 and prior, 8.0.20 and prior
CVE-2020-14597
MySQL Server
Server: Optimizer
MySQL Protocol
No
4.9
Network
Low
High
None
Un-
changed
None
None
High
8.0.20 and prior
CVE-2020-14614
MySQL Server
Server: Optimizer
MySQL Protocol
No
4.9
Network
Low
High
None
Un-
changed
None
None
High
8.0.20 and prior
CVE-2020-14654
MySQL Server
Server: Optimizer
MySQL Protocol
No
4.9
Network
Low
High
None
Un-
changed
None
None
High
8.0.20 and prior
CVE-2020-14725
MySQL Server
Server: Optimizer
MySQL Protocol
No
4.9
Network
Low
High
None
Un-
changed
None
None
High
8.0.20 and prior
CVE-2020-14632
MySQL Server
Server: Options
MySQL Protocol
No
4.9
Network
Low
High
None
Un-
changed
None
None
High
8.0.20 and prior
CVE-2020-14567
MySQL Server
Server: Replication
MySQL Protocol
No
4.9
Network
Low
High
None
Un-
changed
None
None
High
5.7.29 and prior, 8.0.19 and prior
CVE-2020-14631
MySQL Server
Server: Security: Audit
MySQL Protocol
No
4.9
Network
Low
High
None
Un-
changed
None
None
High
8.0.20 and prior
CVE-2020-14586
MySQL Server
Server: Security: Privileges
MySQL Protocol
No
4.9
Network
Low
High
None
Un-
changed
None
None
High
8.0.20 and prior
CVE-2020-14702
MySQL Server
Server: Security: Privileges
MySQL Protocol
No
4.9
Network
Low
High
None
Un-
changed
None
None
High
8.0.20 and prior
CVE-2020-14641
MySQL Server
Server: Security: Roles
MySQL Protocol
No
4.9
Network
Low
High
None
Un-
changed
High
None
None
8.0.20 and prior
CVE-2020-14559
MySQL Server
Server: Information Schema
MySQL Protocol
No
4.3
Network
Low
Low
None
Un-
changed
Low
None
None
5.6.48 and prior, 5.7.30 and prior, 8.0.20 and prior
CVE-2020-14553
MySQL Server
Server: Pluggable Auth
MySQL Protocol
No
4.3
Network
Low
Low
None
Un-
changed
None
Low
None
5.7.30 and prior, 8.0.20 and prior
CVE-2020-14633
MySQL Server
InnoDB
MySQL Protocol
No
2.7
Network
Low
High
None
Un-
changed
None
Low
None
8.0.20 and prior
CVE-2020-14634
MySQL Server
InnoDB
MySQL Protocol
No
2.7
Network
Low
High
None
Un-
changed
Low
None
None
8.0.20 and prior
CVE-2020-5258
MySQL Cluster
Cluster: Packaging (dojo)
Multiple
No
0.0
Network
Low
Low
Required
Un-
changed
None
None
None
7.3.29 and prior, 7.4.28 and prior, 7.5.18 and prior, 7.6.14 and prior, 8.0.20 and prior
See Note 1
CVE-2020-1967
MySQL Enterprise Monitor
Monitoring: General (OpenSSL)
HTTPS
No
0.0
Network
Low
None
None
Un-
changed
None
None
None
4.0.12 and prior, 8.0.20 and prior
See Note 2
Notes:
- This CVE is not exploitable in MySQL Cluster. The CVSS v3.1 Base Score for this CVE in the National Vulnerability Database (NVD) is 7.5.
- This CVE is not exploitable in MySQL Enterprise Monitor. The CVSS v3.1 Base Score for this CVE in the National Vulnerability Database (NVD) is 7.5.
Additional CVEs addressed are below:
- The patch for CVE-2020-1938 also addresses CVE-2019-17569 and CVE-2020-1935.
- The patch for CVE-2020-5398 also addresses CVE-2020-5397.
Oracle PeopleSoft Risk Matrix
This Critical Patch Update contains 11 new security patches for Oracle PeopleSoft. 9 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE#
Product
Component
Protocol
Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req’d
User
Interact
Scope
Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2019-17359
PeopleSoft Enterprise HCM Global Payroll Switzerland
Global Payroll for Switzerland (Bouncy Castle Java Library)
HTTPS
Yes
7.5
Network
Low
None
None
Un-
changed
None
None
High
9.2
CVE-2019-16056
PeopleSoft Enterprise PeopleTools
Porting (Python)
HTTP
Yes
7.5
Network
Low
None
None
Un-
changed
High
None
None
8.57, 8.58
CVE-2019-11358
PeopleSoft Enterprise FIN Expenses
Expenses (jQuery)
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
9.2
CVE-2020-14627
PeopleSoft Enterprise PeopleTools
Query
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
8.56, 8.57, 8.58
CVE-2020-14592
PeopleSoft Enterprise PeopleTools
Rich Text Editor
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
8.56, 8.57, 8.58
CVE-2020-14587
PeopleSoft Enterprise FIN Expenses
Expenses
HTTP
No
5.4
Network
Low
Low
None
Un-
changed
Low
Low
None
9.2
CVE-2020-14612
PeopleSoft Enterprise HRMS
Time and Labor
HTTP
No
5.4
Network
Low
Low
None
Un-
changed
Low
Low
None
9.2
CVE-2020-14558
PeopleSoft Enterprise PeopleTools
Portal
HTTP
Yes
5.3
Network
Low
None
None
Un-
changed
Low
None
None
8.56, 8.57, 8.58
CVE-2019-1551
PeopleSoft Enterprise PeopleTools
Security (OpenSSL)
HTTPS
Yes
5.3
Network
Low
None
None
Un-
changed
Low
None
None
8.56, 8.57, 8.58
CVE-2020-14600
PeopleSoft Enterprise PeopleTools
Portal
HTTP
Yes
4.3
Network
Low
None
Required
Un-
changed
None
Low
None
8.56, 8.57, 8.58
CVE-2020-14564
PeopleSoft Enterprise PeopleTools
Environment Mgmt Console
HTTP
No
2.7
Network
Low
High
None
Un-
changed
None
Low
None
8.56, 8.57, 8.58
Additional CVEs addressed are below:
- The patch for CVE-2019-16056 also addresses CVE-2019-16935.
Oracle Retail Applications Risk Matrix
This Critical Patch Update contains 47 new security patches for Oracle Retail Applications. 42 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE#
Product
Component
Protocol
Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req’d
User
Interact
Scope
Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2019-13990
Customer Management and Segmentation Foundation
Segment (Terracotta Quartz Scheduler)
HTTP
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
18.0
CVE-2019-12086
Customer Management and Segmentation Foundation
Segment (jackson-databind)
HTTP
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
18.0
CVE-2020-2555
Oracle Retail Assortment Planning
Application Core (Coherence)
HTTP
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
15.0, 16.0
CVE-2017-5645
Oracle Retail Extract Transform and Load
Mathematical Operators (Log4j)
Multiple
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
19.0
CVE-2020-1945
Oracle Retail Financial Integration
PeopleSoft Integration (Apache Ant)
HTTP
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
15.0, 16.0
CVE-2020-10683
Oracle Retail Integration Bus
RIB Kernal (dom4j)
HTTP
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
15.0, 16.0
CVE-2019-13990
Oracle Retail Integration Bus
RIB Kernal (Terracotta Quartz Scheduler)
HTTP
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
15.0, 16.0
CVE-2019-16943
Oracle Retail Merchandising System
Inventory Movement (jackson-databind)
HTTP
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
15.0.3, 16.0.2, 16.0.3
CVE-2019-16943
Oracle Retail Sales Audit
Transaction Maintenance (jackson-databind)
HTTP
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
14.1
CVE-2017-5645
Oracle Retail Service Backbone
Installer (Log4j)
Multiple
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
14.1, 15.0, 16.0
CVE-2019-13990
Oracle Retail Xstore Point of Service
Xenvironment (Terracotta Quartz Scheduler)
HTTP
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
15.0, 16.0, 17.0, 18.0, 19.0
CVE-2020-9546
Oracle Retail Xstore Point of Service
Xenvironment (jackson-databind)
HTTP
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
15.0, 16.0, 17.0, 18.0, 19.0
CVE-2020-1945
Category Management Planning & Optimization
ODI Integration (Apache Ant)
HTTP
Yes
9.1
Network
Low
None
None
Un-
changed
High
High
None
15.0.3
CVE-2020-1945
Oracle Retail Assortment Planning
Application Core (Apache Ant)
HTTP
Yes
9.1
Network
Low
None
None
Un-
changed
High
High
None
15.0.3, 16.0.3
CVE-2020-1945
Oracle Retail Bulk Data Integration
BDI Job Scheduler (Apache Ant)
HTTP
Yes
9.1
Network
Low
None
None
Un-
changed
High
High
None
15.0, 16.0
CVE-2020-1945
Oracle Retail Data Extractor for Merchandising
ODI Knowledge Module (Apache Ant)
HTTP
Yes
9.1
Network
Low
None
None
Un-
changed
High
High
None
1.9, 1.10
CVE-2020-1945
Oracle Retail Item Planning
Application Core (Apache Ant)
HTTP
Yes
9.1
Network
Low
None
None
Un-
changed
High
High
None
15.0.3
CVE-2020-1945
Oracle Retail Macro Space Optimization
ODI Integration (Apache Ant)
HTTP
Yes
9.1
Network
Low
None
None
Un-
changed
High
High
None
15.0.3
CVE-2020-1945
Oracle Retail Merchandise Financial Planning
Application Core (Apache Ant)
HTTP
Yes
9.1
Network
Low
None
None
Un-
changed
High
High
None
15.0.3
CVE-2020-1945
Oracle Retail Predictive Application Server
RPAS Server (Apache Ant)
HTTP
Yes
9.1
Network
Low
None
None
Un-
changed
High
High
None
14.0.3, 14.1.3, 15.0.3, 16.0.3
CVE-2020-1945
Oracle Retail Regular Price Optimization
Operations & Maintenance (Apache Ant)
HTTP
Yes
9.1
Network
Low
None
None
Un-
changed
High
High
None
15.0.3, 16.0.3
CVE-2020-1945
Oracle Retail Replenishment Optimization
Application Core (Apache Ant)
HTTP
Yes
9.1
Network
Low
None
None
Un-
changed
High
High
None
15.0.3
CVE-2020-1945
Oracle Retail Service Backbone
Install (Apache Ant)
HTTP
Yes
9.1
Network
Low
None
None
Un-
changed
High
High
None
15.0, 16.0
CVE-2020-1945
Oracle Retail Size Profile Optimization
Application Core (Apache Ant)
HTTP
Yes
9.1
Network
Low
None
None
Un-
changed
High
High
None
15.0.3
CVE-2020-1945
Oracle Retail Store Inventory Management
SIM Integration (Apache Ant)
HTTP
Yes
9.1
Network
Low
None
None
Un-
changed
High
High
None
14.0.4, 14.1.3, 15.0.3, 16.0.3
CVE-2015-9251
Oracle Retail Customer Management and Segmentation Foundation
Promotions (jQuery)
HTTP
No
8.0
Network
Low
Low
Required
Un-
changed
High
High
High
18.0
CVE-2020-5398
Oracle Retail Assortment Planning
Application Core (Spring Framework)
HTTP
Yes
7.5
Network
High
None
Required
Un-
changed
High
High
High
15.0, 16.0
CVE-2020-5398
Oracle Retail Financial Integration
PeopleSoft Integration (Spring Framework)
HTTP
Yes
7.5
Network
High
None
Required
Un-
changed
High
High
High
15.0, 16.0
CVE-2017-12626
Oracle Retail Fusion Platform
Retail Portal Framework (Apache POI)
HTTP
Yes
7.5
Network
Low
None
None
Un-
changed
None
None
High
5.5
CVE-2020-5398
Oracle Retail Integration Bus
RIB Kernal (Spring Framework)
HTTP
Yes
7.5
Network
High
None
Required
Un-
changed
High
High
High
15.0.3, 16.0.3
CVE-2019-12423
Oracle Retail Order Broker
System Administration (Apache CXF)
HTTP
Yes
7.5
Network
Low
None
None
Un-
changed
High
None
None
15.0
CVE-2020-5398
Oracle Retail Predictive Application Server
RPAS Server (Spring Framework)
HTTP
Yes
7.5
Network
High
None
Required
Un-
changed
High
High
High
14.0.3, 14.1.3, 15.0.3, 16.0.3
CVE-2020-5398
Oracle Retail Service Backbone
RSB Installation (Spring Framework)
HTTP
Yes
7.5
Network
High
None
Required
Un-
changed
High
High
High
15.0, 16.0
CVE-2019-10086
Customer Management and Segmentation Foundation
Promotions (Apache Commons-Beanutils)
HTTP
Yes
7.3
Network
Low
None
None
Un-
changed
Low
Low
Low
18.0
CVE-2020-14709
Customer Management and Segmentation Foundation
Card
HTTP
No
7.1
Network
Low
Low
None
Un-
changed
Low
High
None
16.0, 17.0, 18.0
CVE-2019-3740
Oracle Retail Store Inventory Management
SIM Integration (BSAFE Crypto-J)
TLS
Yes
6.5
Network
Low
None
Required
Un-
changed
High
None
None
14.0.4, 14.1.3, 15.0.3, 16.0.3
CVE-2019-17091
Oracle Retail Financial Integration
PeopleSoft Integration (Eclipse Mojarra)
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
15.0, 16.0
CVE-2019-17091
Oracle Retail Integration Bus
RIB Kernal (Eclipse Mojarra)
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
15.0, 16.0
CVE-2019-17091
Oracle Retail Invoice Matching
Pricing (Eclipse Mojarra)
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
16.0
CVE-2019-17091
Oracle Retail Service Backbone
RSB kernel (Eclipse Mojarra)
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
15.0, 16.0
CVE-2018-10237
Oracle Retail Integration Bus
Packaging (Google Guava)
HTTP
Yes
5.9
Network
High
None
None
Un-
changed
None
None
High
15.0, 16.0
CVE-2020-14710
Customer Management and Segmentation Foundation
Security
HTTP
No
5.4
Network
Low
Low
None
Un-
changed
Low
Low
None
16.0, 17.0, 18.0
CVE-2020-14708
Customer Management and Segmentation Foundation
Segment
HTTP
No
4.3
Network
Low
Low
None
Un-
changed
None
Low
None
16.0, 17.0, 18.0
CVE-2018-15756
Oracle Retail Xstore Point of Service
Point of Sale (Spring Framework)
HTTP
No
4.3
Network
Low
High
Required
Un-
changed
Low
Low
Low
7.1
CVE-2020-9488
Oracle Retail Data Extractor for Merchandising
Knowledge Module (Log4j)
SMTPS
Yes
3.7
Network
High
None
None
Un-
changed
Low
None
None
18.0
CVE-2020-9488
Oracle Retail Financial Integration
PeopleSoft Integration (Log4j)
SMTPS
Yes
3.7
Network
High
None
None
Un-
changed
Low
None
None
15.0, 16.0
CVE-2020-9488
Oracle Retail Store Inventory Management
SIM Integration (Log4j)
SMTPS
Yes
3.7
Network
High
None
None
Un-
changed
Low
None
None
14.0.4, 14.1.3, 15.0.3, 16.0.3
Additional CVEs addressed are below:
- The patch for CVE-2015-9251 also addresses CVE-2020-11022.
- The patch for CVE-2017-12626 also addresses CVE-2019-12415.
- The patch for CVE-2018-15756 also addresses CVE-2018-11039, CVE-2018-11040, CVE-2018-1199, CVE-2018-1257, CVE-2018-1270, CVE-2018-1271, CVE-2018-1272 and CVE-2018-1275.
- The patch for CVE-2019-12086 also addresses CVE-2019-14540, CVE-2019-16335, CVE-2019-16942, CVE-2019-16943, CVE-2019-17267, CVE-2019-17531 and CVE-2019-20330.
- The patch for CVE-2019-12423 also addresses CVE-2019-17573.
- The patch for CVE-2019-13990 also addresses CVE-2019-5427.
- The patch for CVE-2019-16943 also addresses CVE-2019-16942 and CVE-2019-17531.
- The patch for CVE-2019-3740 also addresses CVE-2019-3738 and CVE-2019-3739.
- The patch for CVE-2020-1945 also addresses CVE-2017-5645.
- The patch for CVE-2020-5398 also addresses CVE-2020-5397.
- The patch for CVE-2020-9546 also addresses CVE-2019-16942, CVE-2019-16943, CVE-2019-17531, CVE-2020-10650, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-11619, CVE-2020-11620, CVE-2020-9547 and CVE-2020-9548.
Oracle Siebel CRM Risk Matrix
This Critical Patch Update contains 5 new security patches for Oracle Siebel CRM. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE#
Product
Component
Protocol
Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req’d
User
Interact
Scope
Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2019-16943
Siebel Engineering - Installer & Deployment
Siebel Approval Manager (jackson-databind)
HTTP
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
2.20.5 and prior
CVE-2020-1938
Siebel UI Framework
EAI, SWSE (Apache Tomcat)
Apache JServ Protocol (AJP)
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
20.5 and prior
CVE-2019-16943
Siebel UI Framework
EAI (jackson-databind)
HTTP
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
20.5 and prior
CVE-2020-14531
Siebel UI Framework
SWSE Server
HTTP
Yes
5.9
Network
High
None
Required
Un-
changed
High
Low
None
20.6 and prior
CVE-2020-9488
Siebel Engineering - Installer & Deployment
Siebel Approval Manager (Log4j)
SMTPS
Yes
3.7
Network
High
None
None
Un-
changed
Low
None
None
2.20.5 and prior
Additional CVEs addressed are below:
- The patch for CVE-2019-16943 also addresses CVE-2019-16942 and CVE-2019-17531.
Oracle Supply Chain Risk Matrix
This Critical Patch Update contains 22 new security patches for Oracle Supply Chain. 18 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE#
Product
Component
Protocol
Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req’d
User
Interact
Scope
Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2019-2729
Oracle Rapid Planning
Middle Tier
HTTP
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
12.1, 12.2
CVE-2020-2555
Oracle Rapid Planning
Middle Tier
HTTP
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
12.1, 12.2
CVE-2016-1000031
Oracle Rapid Planning
Middle Tier (Apache Commons FileUpload)
HTTP
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
12.1, 12.2
CVE-2016-5019
Oracle Rapid Planning
Middle Tier (Apache Trinidad)
HTTP
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
12.1, 12.2
CVE-2020-10683
Oracle Rapid Planning
Middle Tier (dom4j)
HTTP
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
12.1, 12.2
CVE-2016-4000
Oracle Rapid Planning
Middle Tier (jython)
HTTP
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
12.1, 12.2
CVE-2017-5645
Oracle Rapid Planning
Middle Tier (Apache Ant)
Multiple
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
12.1, 12.2
CVE-2017-5645
Oracle Rapid Planning
Middle Tier (Log4j)
Multiple
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
12.1, 12.2
CVE-2019-17563
Oracle Transportation Management
Install (Apache Tomcat)
HTTP
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
6.3.7
CVE-2016-6814
Oracle Agile Engineering Data Management
Install (Apache Groovy)
HTTP
Yes
9.6
Network
Low
None
Required
Changed
High
High
High
6.2.1.0
CVE-2020-1945
Oracle Rapid Planning
Middle Tier (Apache Ant)
HTTP
Yes
9.1
Network
Low
None
None
Un-
changed
High
High
None
12.1, 12.2
CVE-2015-7501
Oracle Rapid Planning
Middle Tier (Apache Commons Collections)
HTTP
No
8.8
Network
Low
Low
None
Un-
changed
High
High
High
12.1, 12.2
CVE-2020-14669
Oracle Configurator
UI Servlet
HTTP
Yes
8.2
Network
Low
None
Required
Changed
High
Low
None
12.1, 12.2
CVE-2019-0227
Oracle Agile Engineering Data Management
Install (Apache Axis)
HTTP
Yes
7.5
Adjacent
Network
High
None
None
Un-
changed
High
High
High
6.2.1.0
CVE-2019-0227
Oracle Rapid Planning
Installation (Apache Axis)
HTTP
Yes
7.5
Adjacent
Network
High
None
None
Un-
changed
High
High
High
12.1, 12.2
CVE-2020-5398
Oracle Rapid Planning
Installation (Spring Framework)
HTTP
Yes
7.5
Network
High
None
Required
Un-
changed
High
High
High
12.1, 12.2
CVE-2018-15756
Oracle Rapid Planning
Middle Tier (Spring Framework)
HTTP
Yes
7.5
Network
Low
None
None
Un-
changed
None
None
High
12.1, 12.2
CVE-2018-8013
Oracle Rapid Planning
Middle Tier (Apache Batik)
HTTP
Yes
7.3
Network
Low
None
None
Un-
changed
Low
Low
Low
12.1, 12.2
CVE-2019-17091
Oracle Rapid Planning
Installation (Eclipse Mojarra)
HTTP
Yes
6.1
Network
Low
None
Required
Changed
Low
Low
None
12.1, 12.2
CVE-2019-1547
Oracle Agile Engineering Data Management
Install (OpenSSL)
None
No
4.7
Local
High
Low
None
Un-
changed
High
None
None
6.2.1.0
CVE-2020-14551
Oracle AutoVue
Security
HTTP
No
4.3
Network
Low
Low
None
Un-
changed
None
Low
None
21.0
CVE-2020-14544
Oracle Transportation Management
Data, Domain & Function Security
HTTP
No
4.3
Network
Low
Low
None
Un-
changed
Low
None
None
6.4.3
Additional CVEs addressed are below:
- The patch for CVE-2019-0227 also addresses CVE-2018-8032.
- The patch for CVE-2019-1547 also addresses CVE-2019-1549, CVE-2019-1552 and CVE-2019-1563.
- The patch for CVE-2019-17563 also addresses CVE-2019-17569, CVE-2020-1935 and CVE-2020-1938.
- The patch for CVE-2019-2729 also addresses CVE-2019-2725.
- The patch for CVE-2020-5398 also addresses CVE-2020-5397.
Oracle Systems Risk Matrix
This Critical Patch Update contains 7 new security patches for Oracle Systems. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE#
Product
Component
Protocol
Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req’d
User
Interact
Scope
Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2020-11656
Oracle ZFS Storage Appliance Kit
Operating System Image
Multiple
Yes
9.8
Network
Low
None
None
Un-
changed
High
High
High
8.8
CVE-2020-14724
Oracle Solaris
Device Driver Utility
None
No
7.3
Local
Low
Low
Required
Un-
changed
High
High
High
11
CVE-2018-12207
Oracle Solaris
Kernel
None
No
6.5
Local
Low
Low
None
Changed
None
None
High
11
See Note 1
CVE-2020-14537
Oracle Solaris
Packaging Scripts
None
No
5.5
Local
Low
High
Required
Changed
None
None
High
11
CVE-2020-14545
Oracle Solaris
Device Driver Utility
None
No
5.0
Local
High
Low
Required
Un-
changed
None
High
Low
11
CVE-2019-5489
Oracle Solaris
Kernel
Multiple
No
3.5
Network
High
Low
None
Changed
Low
None
None
11
CVE-2020-14542
Oracle Solaris
libsuri
None
No
3.3
Local
Low
Low
None
Un-
changed
Low
None
None
11
Notes:
- Please refer to My Oracle Support Note 2609642.1 for further information on how CVE-2018-12207 impacts Oracle Solaris.
Additional CVEs addressed are below:
- The patch for CVE-2020-11656 also addresses CVE-2020-1927 and CVE-2020-1934.
Oracle Utilities Applications Risk Matrix
This Critical Patch Update contains 1 new security patch for Oracle Utilities Applications. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE#
Product
Component
Protocol
Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req’d
User
Interact
Scope
Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2018-12023
Oracle Utilities Framework
Common (jackson-databind)
HTTP
Yes
7.5
Network
High
None
Required
Un-
changed
High
High
High
4.3.0.5.0, 4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0
Oracle Virtualization Risk Matrix
This Critical Patch Update contains 25 new security patches for Oracle Virtualization. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
CVE#
Product
Component
Protocol
Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req’d
User
Interact
Scope
Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2020-14628
Oracle VM VirtualBox
Core
None
No
8.2
Local
Low
High
None
Changed
High
High
High
Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
See Note 1
CVE-2020-14646
Oracle VM VirtualBox
Core
None
No
7.5
Local
High
High
None
Changed
High
High
High
Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14647
Oracle VM VirtualBox
Core
None
No
7.5
Local
High
High
None
Changed
High
High
High
Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14649
Oracle VM VirtualBox
Core
None
No
7.5
Local
High
High
None
Changed
High
High
High
Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14713
Oracle VM VirtualBox
Core
None
No
7.5
Local
High
High
None
Changed
High
High
High
Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14674
Oracle VM VirtualBox
Core
None
No
7.5
Local
High
High
None
Changed
High
High
High
Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14675
Oracle VM VirtualBox
Core
None
No
7.5
Local
High
High
None
Changed
High
High
High
Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14676
Oracle VM VirtualBox
Core
None
No
7.5
Local
High
High
None
Changed
High
High
High
Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14677
Oracle VM VirtualBox
Core
None
No
7.5
Local
High
High
None
Changed
High
High
High
Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14699
Oracle VM VirtualBox
Core
None
No
7.5
Local
High
High
None
Changed
High
High
High
Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14711
Oracle VM VirtualBox
Core
None
No
6.5
Local
Low
High
Required
Un-
changed
High
High
High
Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
See Note 2
CVE-2020-14629
Oracle VM VirtualBox
Core
None
No
6.0
Local
Low
High
None
Changed
High
None
None
Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14703
Oracle VM VirtualBox
Core
None
No
6.0
Local
Low
High
None
Changed
High
None
None
Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14704
Oracle VM VirtualBox
Core
None
No
6.0
Local
Low
High
None
Changed
High
None
None
Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14648
Oracle VM VirtualBox
Core
None
No
5.3
Local
High
High
None
Changed
High
None
None
Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14650
Oracle VM VirtualBox
Core
None
No
5.3
Local
High
High
None
Changed
High
None
None
Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14673
Oracle VM VirtualBox
Core
None
No
5.3
Local
High
High
None
Changed
High
None
None
Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14694
Oracle VM VirtualBox
Core
None
No
5.3
Local
High
High
None
Changed
High
None
None
Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14695
Oracle VM VirtualBox
Core
None
No
5.3
Local
High
High
None
Changed
High
None
None
Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14698
Oracle VM VirtualBox
Core
None
No
5.3
Local
High
High
None
Changed
High
None
None
Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14700
Oracle VM VirtualBox
Core
None
No
5.3
Local
High
High
None
Changed
High
None
None
Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14712
Oracle VM VirtualBox
Core
None
No
5.0
Local
Low
Low
Required
Un-
changed
None
High
None
Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14707
Oracle VM VirtualBox
Core
None
No
5.0
Local
Low
Low
Required
Un-
changed
None
None
High
Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14714
Oracle VM VirtualBox
Core
None
No
4.4
Local
Low
High
None
Un-
changed
None
None
High
Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14715
Oracle VM VirtualBox
Core
None
No
4.4
Local
Low
High
None
Un-
changed
None
None
High
Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
Notes:
- The CVE-2020-14628 is applicable to Windows VM only.
- The CVE-2020-14711 is applicable to macOS host only.
Why Oracle
- Analyst Reports
- Gartner MQ for Cloud ERP
- Cloud Economics
- Corporate Responsibility
- Diversity and Inclusion
- Security Practices
Learn
- What is cloud computing?
- What is CRM?
- What is Docker?
- What is Kubernetes?
- What is Python?
- What is SaaS?
What’s New
Oracle Supports Ukraine
Oracle CloudWorld
Oracle and Premier League
Oracle Red Bull Racing
Employee Experience Platform
Oracle Support Rewards
© 2022 Oracle
Site Map
Privacy/Do Not Sell My Info
Ad Choices
Careers
Facebook
Twitter
LinkedIn
YouTube