Oracle Critical Patch Update Advisory - July 2017

Description

A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to: Critical Patch Updates and Security Alerts for information about Oracle Security Advisories.

Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay.

This Critical Patch Update contains 310 new security fixes across the product families listed below. Please note that a MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at July 2017 Critical Patch Update: Executive Summary and Analysis.

Please note that the vulnerabilities in this Critical Patch Update are scored using version 3.0 of Common Vulnerability Scoring Standard (CVSS).

This Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available here.

Affected Products and Components

Security vulnerabilities addressed by this Critical Patch Update affect the products listed in the categories below. The product area of the patches for the listed versions is shown in the Patch Availability column corresponding to the specified Affected Products and Versions column. Please click on the link in the Patch Availability column below to access the documentation for patch availability information and installation instructions.

For an overview of the Oracle product documentation related to this Critical Patch Update, please refer to the Oracle Critical Patch Update July 2017 Documentation Map, My Oracle Support Note.

The list of affected product releases and versions that are in Premier Support or Extended Support, under the Oracle Lifetime Support Policy is as follows:

Note:

Vulnerabilities affecting Oracle Database and Oracle Fusion Middleware may affect Oracle Fusion Applications, so Oracle customers should refer to Oracle Fusion Applications Critical Patch Update Knowledge Document, My Oracle Support Note 1967316.1 for information on patches to be applied to Fusion Application environments.

Users running Java SE with a browser can download the latest release from http://java.com. Users on the Windows and Mac OS X platforms can also use automatic updates to get the latest release.

Vulnerabilities affecting Oracle Solaris may affect Oracle ZFSSA so Oracle customers should refer to the Oracle and Sun Systems Product Suite Critical Patch Update Knowledge Document, My Oracle Support Note 2160904.1 for information on minimum revisions of security fixes required to resolve ZFSSA issues published in Critical Patch Updates (CPUs) and Solaris Third Party bulletins.

Risk Matrix Content

Risk matrices list only security vulnerabilities that are newly fixed by the patches associated with this advisory. Risk matrices for previous security fixes can be found in previous Critical Patch Update advisories. An English text version of the risk matrices provided in this document is here .

Several vulnerabilities addressed in this Critical Patch Update affect multiple products. Each vulnerability is identified by a CVE# which is a unique identifier for a vulnerability. A vulnerability that affects multiple products will appear with the same CVE# in all risk matrices. A CVE# shown in italics indicates that this vulnerability impacts a different product, but also has impact on the product where the italicized CVE# is listed.

Security vulnerabilities are scored using CVSS version 3.0 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS version 3.0).

Oracle conducts an analysis of each security vulnerability addressed by a Critical Patch Update (CPU). Oracle does not disclose detailed information about this security analysis to customers, but the resulting Risk Matrix and associated documentation provide information about the type of vulnerability, the conditions required to exploit it, and the potential impact of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage. For more information, see Oracle vulnerability disclosure policies.

The protocol in the risk matrix implies that all of its secure variants (if applicable) are affected as well. For example, if HTTP is listed as an affected protocol, it implies that HTTPS (if applicable) is also affected. The secure variant of a protocol is listed in the risk matrix only if it is the only variant affected, e.g. HTTPS will typically be listed for vulnerabilities in SSL and TLS.

Workarounds

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible . Until you apply the CPU fixes, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem.

Skipped Critical Patch Updates

Oracle strongly recommends that customers apply security fixes as soon as possible. For customers that have skipped one or more Critical Patch Updates and are concerned about products that do not have security fixes announced in this CPU, please review previous Critical Patch Update advisories to determine appropriate actions.

Product Dependencies

Oracle products may have dependencies on other Oracle products. Hence security vulnerability fixes announced in this Critical Patch Update may affect one or more dependent Oracle products. For details regarding these dependencies and how to apply patches to dependent products, please refer to Patch Set Update and Critical Patch Update July 2017 Availability Document, My Oracle Support Note 2261562.1.

Critical Patch Update Supported Products and Versions

Patches released through the Critical Patch Update program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. We recommend that customers plan product upgrades to ensure that patches released through the Critical Patch Update program are available for the versions they are currently running.

Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Critical Patch Update. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.

Supported Database, Fusion Middleware, Oracle Enterprise Manager Base Platform (formerly "Oracle Enterprise Manager Grid Control") and Collaboration Suite products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.

Products in Extended Support

Patches released through the Critical Patch Update program are available to customers who have Extended Support under the Lifetime Support Policy. Customers must have a valid Extended Support service contract to download patches released through the Critical Patch Update program for products in the Extended Support Phase.

Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Critical Patch Update to Oracle:

Adam Willard of Blue Canopy: CVE-2017-10040

Antonio Sanso: CVE-2017-10176

Ary Dobrovolskiy of Citadel: CVE-2017-10119

Behzad Najjarpour Jabbari, Secunia Research at Flexera Software: CVE-2017-10141, CVE-2017-10196

CERT/CC: CVE-2017-10042

Che-Chun Kuo of Divergent Security: CVE-2017-10137

Daniel Bleichenbacher of Google: CVE-2017-10115, CVE-2017-10118

David Litchfield of Apple: CVE-2017-10120

Deniz Cevik of Biznet Bilisim A.S: CVE-2017-10063

Dmitrii Iudin aka @ret5et of ERPScan: CVE-2017-10106, CVE-2017-10146

Emiliano J. Fausto of Onapsis: CVE-2017-10192

Federico Dobal of Onapsis: CVE-2017-10192

Gaston Traberg of Onapsis: CVE-2017-10108, CVE-2017-10109, CVE-2017-10180

Hassan El Hadary - Secure Misr: CVE-2017-10181

Ilya Maykov: CVE-2017-10135

Jakub Palaczynski of ING Services Polska: CVE-2017-10025, CVE-2017-10028, CVE-2017-10029, CVE-2017-10030, CVE-2017-10156, CVE-2017-10157

James Forshaw: CVE-2017-10129, CVE-2017-10204

Jayson Grace of Sandia National Laboratories: CVE-2017-10017

John Lightsey: CVE-2017-3636

Juan Pablo Perez Etchegoyen of Onapsis: CVE-2017-10244, CVE-2017-10245

Justin Ng of Spark: CVE-2017-10134

Li Qiang of the Qihoo 360 Gear Team: CVE-2017-10187, CVE-2017-10209, CVE-2017-10210, CVE-2017-10236, CVE-2017-10237, CVE-2017-10238, CVE-2017-10239, CVE-2017-10240, CVE-2017-10241, CVE-2017-10242

Luca Napolitano of Hewlett Packard Enterprise: CVE-2017-10058

Lucas Molas of Fundación Sadosky: CVE-2017-10235

Lukasz Mikula: CVE-2017-10059

Marcin Wołoszyn of ING Services Polska: CVE-2017-10024, CVE-2017-10030, CVE-2017-10035, CVE-2017-10043, CVE-2017-10091

Marcus Mengs: CVE-2017-10125

Marios Nicolaides of RUNESEC: CVE-2017-10046

Maris Elsins of Pythian: CVE-2017-3562

Matias Mevied of Onapsis: CVE-2017-10184, CVE-2017-10185, CVE-2017-10186, CVE-2017-10191

Mohit Rawat: CVE-2017-10041

Moritz Bechler: CVE-2017-10102, CVE-2017-10116

Or Hanuka of Motorola Solutions: CVE-2017-10038, CVE-2017-10131, CVE-2017-10149, CVE-2017-10150, CVE-2017-10160

Owais Mehtab of IS: CVE-2017-10075

Reno Robert: CVE-2017-10210, CVE-2017-10233, CVE-2017-10236, CVE-2017-10239, CVE-2017-10240

Roman Shalymov of ERPScan: CVE-2017-10061

Sarath Nair: CVE-2017-10246

Sean Gambles: CVE-2017-10025

Sergio Abraham of Onapsis: CVE-2017-10192

Shannon Hickey of Adobe: CVE-2017-10053

Sule Bekin of Turk Telekom: CVE-2017-10028

Takeshi Terada of Mitsui Bussan Secure Directions, Inc.: CVE-2017-10178

Tayeeb Rana of IS: CVE-2017-10075

Tzachy Horesh of Motorola Solutions: CVE-2017-10038, CVE-2017-10131, CVE-2017-10149, CVE-2017-10150, CVE-2017-10160

Tzachy Horesh of Palantir Security: CVE-2017-10092, CVE-2017-10093, CVE-2017-10094

Ubais PK of EY Global Delivery Services: CVE-2017-10073

Vahagn Vardanyan of ERPScan: CVE-2017-10147, CVE-2017-10148

Zuozhi Fan formerly of Alibaba: CVE-2017-3640, CVE-2017-3641

Security-In-Depth Contributors

Oracle acknowledges people who have contributed to our Security-In-Depth program (see FAQ). People are acknowledged for Security-In-Depth contributions if they provide information, observations or suggestions pertaining to security vulnerability issues that result in significant modification of Oracle code or documentation in future releases, but are not of such a critical nature that they are distributed in Critical Patch Updates.

In this Critical Patch Update Advisory, Oracle recognizes the following for contributions to Oracle's Security-In-Depth program.:

Christopher Tarquini

Francis Alexander

Francisco Correa

George Argyros of Columbia University

Jesse Wilson of Square

Kexin Pei of Columbia University

Nick Bloor of NCC Group

Pham Van Khanh of Viettel Information Security Center

Prof. Angelos D. Keromytis of Columbia University

Prof. Suman Jana of Columbia University

Suphannee Sivakorn of Columbia University

On-Line Presence Security Contributors

Oracle acknowledges people who have contributed to our On-Line Presence Security program (see FAQ). People are acknowledged for contributions relating to Oracle's on-line presence if they provide information, observations or suggestions pertaining to security-related issues that result in significant modification to Oracle's on-line external-facing systems.

For this quarter, Oracle recognizes the following for contributions to Oracle's On-Line Presence Security program:

Adam Willard of Blue Canopy

Adesh Nandkishor Kolte

Ahsan Khan

Amin Achour of Trading House

Ashish Gautam Kamble

Guifre Ruiz

Haider Kamal

Jolan Saluria

Muhammad Uwais

Nithin R

Pratik Luhana

Rodolfo Godalle Jr.

Sadik Shaikh of extremehacking.org

Willy Gaston Lindo

Critical Patch Update Schedule

Critical Patch Updates are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

17 October 2017

16 January 2018

17 April 2018

17 July 2018

References

Modification History

Date Note 2017-July-18 Rev 1. Initial Release. 2017-August-1 Rev 2. Credit Statement Update. 2017-August-9 Rev 3. Updated CVSS score for CVE-2017-10183. 2017-August-10 Rev 4. Added CVE-2017-10008 and CVE-2017-10064. 2018-January-29 Rev 5. Credit Statement Update. 2018-March-20 Rev 6. Credit Statement Update.

Appendix - Oracle Database Server

Oracle Database Server Executive Summary

This Critical Patch Update contains 5 new security fixes for the Oracle Database Server divided as follows:

4 new security fixes for the Oracle Database Server. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these fixes are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.

1 new security fix for Oracle REST Data Services. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Database Server Risk Matrix

CVE# Component Package and/or Privilege Required Protocol Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes Base Score Attack Vector Attack Complex Privs Req'd User Interact Scope Confid­entiality Inte­grity Avail­ability CVE-2017-10202 OJVM Create Session, Create Procedure Multiple No 9.9 Network Low Low None Changed High High High 11.2.0.4, 12.1.0.2, 12.2.0.1 See Note 1 CVE-2014-3566 DBMS_LDAP None LDAP Yes 6.8 Network High None None Changed High None None 11.2.0.4, 12.1.0.2 CVE-2016-2183 Real Application Clusters None SSL/TLS Yes 6.8 Network High None Required Un- changed High High None 11.2.0.4, 12.1.0.2 CVE-2017-10120 RDBMS Security Create Session, Select Any Dictionary Oracle Net No 1.9 Local High High None Un- changed None Low None 12.1.0.2

Notes:

This score is for Windows platforms. On non-Windows platforms Scope is Unchanged, giving a CVSS Base Score of 8.8.

Oracle REST Data Services Executive Summary

This Critical Patch Update contains 1 new security fix for Oracle REST Data Services. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle REST Data Services Risk Matrix

CVE# Component Package and/or Privilege Required Protocol Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes Base Score Attack Vector Attack Complex Privs Req'd User Interact Scope Confid­entiality Inte­grity Avail­ability CVE-2016-3092 Oracle REST Data Services None Multiple Yes 7.5 Network Low None None Un- changed None None High Prior to 3.0.10.25.02.36

Appendix - Oracle Fusion Middleware

Oracle Fusion Middleware Executive Summary

This Critical Patch Update contains 44 new security fixes for Oracle Fusion Middleware. 31 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security fixes are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle recommends that customers apply the July 2017 Critical Patch Update to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update July 2017 Patch Availability Document for Oracle Products, My Oracle Support Note 2261562.1.

Oracle Fusion Middleware Risk Matrix

CVE# Product Component Protocol Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes Base Score Attack Vector Attack Complex Privs Req'd User Interact Scope Confid­entiality Inte­grity Avail­ability CVE-2017-10137 Oracle WebLogic Server JNDI HTTP Yes 10.0 Network Low None None Changed High High High 10.3.6.0, 12.1.3.0 CVE-2015-3253 Oracle Enterprise Data Quality General (Apache Groovy) HTTP Yes 9.8 Network Low None None Un- changed High High High 8.1.13.0.0 CVE-2015-5254 Oracle Enterprise Repository Security Subsystem (Apache ActiveMQ) HTTP Yes 9.8 Network Low None None Un- changed High High High 11.1.1.7.0, 12.1.3.0.0 CVE-2017-5638 Oracle WebLogic Server Sample apps (Struts 2) HTTP Yes 9.8 Network Low None None Un- changed High High High 10.3.6.0, 12.1.3.0, 12.2.1.1, 12.2.1.2 CVE-2015-7501 Oracle Data Integrator Studio HTTP No 8.8 Network Low Low None Un- changed High High High 11.1.1.7.0, 11.1.1.9.0, 12.1.3.0.0, 12.2.1.0.0 CVE-2015-7501 Oracle Endeca Server Core (Apache Commons Collections) HTTP No 8.8 Network Low Low None Un- changed High High High 7.6.0.0, 7.6.1.0 CVE-2015-7501 Oracle Enterprise Data Quality General (Apache Commons Fileupload) HTTP No 8.8 Network Low Low None Un- changed High High High 8.1.13.0.0 CVE-2015-7501 Oracle Enterprise Repository Security HTTP No 8.8 Network Low Low None Un- changed High High High 12.1.3.0.0 CVE-2016-0635 Oracle Enterprise Repository Security Subsystem HTTP No 8.8 Network Low Low None Un- changed High High High 12.1.3.0.0 CVE-2016-2834 Oracle OpenSSO Web Agents (NSS) HTTPS Yes 8.8 Network Low None Required Un- changed High High High 3.0.0.8 CVE-2016-2834 Oracle Traffic Director Security (NSS) HTTPS Yes 8.8 Network Low None Required Un- changed High High High 11.1.1.7.0, 11.1.1.9.0 CVE-2015-7501 Oracle Tuxedo System and Applications Monitor General (Apache Commons Collections) HTTP No 8.8 Network Low Low None Un- changed High High High 11.1.1.2.0, 11.1.1.2.1, 11.1.1.2.2, 12.1.1.1.0, 12.1.3.0.0 CVE-2016-0635 Oracle Tuxedo System and Applications Monitor General (Spring) HTTP No 8.8 Network Low Low None Un- changed High High High 11.1.1.2.0, 11.1.1.2.1, 11.1.1.2.2, 12.1.1.1.0, 12.1.3.0.0, 12.2.2.0.0 CVE-2017-10147 Oracle WebLogic Server Core Components T3 Yes 8.6 Network Low None None Changed None None High 10.3.6.0, 12.1.3.0, 12.2.1.1, 12.2.1.2 CVE-2017-10025 BI Publisher BI Publisher Security HTTP Yes 8.2 Network Low None None Un- changed High Low None 11.1.1.7.0 CVE-2017-10043 BI Publisher BI Publisher Security HTTP Yes 8.2 Network Low None Required Changed High Low None 11.1.1.7.0, 11.1.1.9.0 CVE-2017-10156 BI Publisher BI Publisher Security HTTP Yes 8.2 Network Low None Required Changed High Low None 11.1.1.7.0, 11.1.1.9.0, 12.2.1.1.0, 12.2.1.2.0 CVE-2017-10024 BI Publisher Layout Tools HTTP Yes 8.2 Network Low None Required Changed High Low None 11.1.1.7.0 CVE-2017-10028 BI Publisher Web Server HTTP Yes 8.2 Network Low None Required Changed High Low None 11.1.1.7.0 CVE-2017-10029 BI Publisher Web Server HTTP Yes 8.2 Network Low None Required Changed High Low None 11.1.1.7.0 CVE-2017-10030 BI Publisher Web Server HTTP Yes 8.2 Network Low None Required Changed High Low None 11.1.1.7.0 CVE-2017-10035 BI Publisher Web Server HTTP Yes 8.2 Network Low None Required Changed High Low None 11.1.1.7.0, 11.1.1.9.0 CVE-2017-10048 Oracle Enterprise Repository Web Interface HTTP Yes 8.2 Network Low None Required Changed High Low None 11.1.1.7.0, 12.1.3.0.0 CVE-2017-10141 Oracle Outside In Technology Outside In Filters HTTP Yes 8.2 Network Low None None Un- changed None Low High 8.5.3.0 CVE-2017-10196 Oracle Outside In Technology Outside In Filters HTTP Yes 8.2 Network Low None None Un- changed None Low High 8.5.3.0 CVE-2017-10040 Oracle WebCenter Content Content Server HTTP Yes 8.2 Network Low None Required Changed Low High None 11.1.1.9.0, 12.2.1.1.0 CVE-2017-10075 Oracle WebCenter Content Content Server HTTP Yes 8.2 Network Low None Required Changed High Low None 11.1.1.9.0, 12.2.1.1.0, 12.2.1.2.0 CVE-2017-10059 BI Publisher Mobile Service HTTP No 7.6 Network Low Low Required Changed High Low None 11.1.1.7.0 CVE-2017-10041 BI Publisher Web Server HTTP No 7.6 Network Low Low Required Changed High Low None 11.1.1.9.0, 12.2.1.1.0, 12.2.1.2.0 CVE-2017-10119 Oracle Service Bus OSB Web Console Design, Admin HTTP No 7.6 Network Low Low Required Changed High Low None 11.1.1.9.0 CVE-2016-3092 BI Publisher Web Server (Apache Commons Fileupload) HTTP Yes 7.5 Network Low None None Un- changed None None High 11.1.1.9.0, 12.2.1.1.0, 12.2.1.2.0 CVE-2015-7940 Oracle Enterprise Repository Security Subsystem (Bouncy Castle) HTTPS Yes 7.5 Network Low None None Un- changed High None None 12.1.3.0.0 CVE-2015-7940 Oracle Secure Enterprise Search Generic (Bouncy Castle) HTTPS Yes 7.5 Network Low None None Un- changed High None None 11.2.2.2.0 CVE-2017-10058 Oracle Business Intelligence Enterprise Edition Analytics Web Administration HTTP No 6.9 Network Low High Required Changed Low High None 11.1.1.9.0, 12.2.1.1.0, 12.2.1.2.0 CVE-2017-10157 BI Publisher BI Publisher Security HTTP Yes 6.5 Network Low None None Un- changed Low Low None 11.1.1.7.0, 11.1.1.9.0, 12.2.1.1.0, 12.2.1.2.0 CVE-2017-10178 Oracle WebLogic Server Web Container HTTP Yes 6.1 Network Low None Required Changed Low Low None 10.3.6.0, 12.1.3.0, 12.2.1.1, 12.2.1.2 CVE-2017-3732 Oracle API Gateway OAG (OpenSSL) HTTPS Yes 5.9 Network High None None Un- changed High None None 11.1.2.4.0 CVE-2017-3732 Oracle Endeca Server Core (OpenSSL) HTTPS Yes 5.9 Network High None None Un- changed High None None 7.3.0.0, 7.4.0.0, 7.5.0.0, 7.5.1.0, 7.6.0.0, 7.6.1.0, 7.7.0.0 CVE-2017-3732 Oracle Tuxedo SSL Module (OpenSSL) HTTPS Yes 5.9 Network High None None Un- changed High None None 12.1.1 CVE-2013-2027 Oracle WebLogic Server WLST None No 5.9 Local Low None None Un- changed Low Low Low 10.3.6.0, 12.1.3.0, 12.2.1.1, 12.2.1.2 CVE-2017-10148 Oracle WebLogic Server Core Components T3 Yes 5.8 Network Low None None Changed None Low None 10.3.6.0, 12.1.3.0, 12.2.1.1, 12.2.1.2 CVE-2017-10063 Oracle WebLogic Server Web Services HTTP Yes 4.8 Network High None None Un- changed None Low Low 10.3.6.0, 12.1.3.0, 12.2.1.1, 12.2.1.2 CVE-2017-10123 Oracle WebLogic Server Web Container HTTP No 4.3 Network Low Low None Un- changed Low None None 12.1.3.0 CVE-2014-3566 Oracle Endeca Server Core (OpenSSL) HTTPS Yes 3.4 Network High None Required Changed Low None None 7.4.0.0, 7.5.0.0, 7.5.1.0, 7.6.0.0, 7.6.1.0

Additional CVEs addressed are below:

The fix for CVE-2015-7501 also addresses CVE-2011-2730.

The fix for CVE-2015-7940 also addresses CVE-2015-7501, and CVE-2016-5019.

The fix for CVE-2016-2834 also addresses CVE-2016-1950, and CVE-2016-1979.

The fix for CVE-2017-3732 also addresses CVE-2016-7055, and CVE-2017-3731.

Appendix - Oracle Hyperion

Oracle Hyperion Executive Summary

This Critical Patch Update contains 1 new security fix for Oracle Hyperion. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Hyperion Risk Matrix

CVE# Product Component Protocol Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes Base Score Attack Vector Attack Complex Privs Req'd User Interact Scope Confid­entiality Inte­grity Avail­ability CVE-2016-0635 Hyperion Essbase Java Based Agent (Spring) Multiple No 8.8 Network Low Low None Un- changed High High High See Note 1

Notes:

Fixed in all versions from 12.2.1.1 onward.

Appendix - Oracle Enterprise Manager Grid Control

Oracle Enterprise Manager Grid Control Executive Summary

This Critical Patch Update contains 8 new security fixes for Oracle Enterprise Manager Grid Control. 6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these fixes are applicable to client-only installations, i.e., installations that do not have Oracle Enterprise Manager Grid Control installed. The English text form of this Risk Matrix can be found here.

Oracle Enterprise Manager products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle Enterprise Manager products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle Enterprise Manager risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle Enterprise Manager products, Oracle recommends that customers apply the July 2017 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Enterprise Manager. For information on what patches need to be applied to your environments, refer to Critical Patch Update July 2017 Patch Availability Document for Oracle Products, My Oracle Support Note 2261562.1.

Oracle Enterprise Manager Grid Control Risk Matrix

CVE# Product Component Protocol Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes Base Score Attack Vector Attack Complex Privs Req'd User Interact Scope Confid­entiality Inte­grity Avail­ability CVE-2016-5387 Enterprise Manager Ops Center Satellite Framework HTTP Yes 8.1 Network High None None Un- changed High High High 12.2.2, 12.3.2 CVE-2016-1181 Oracle Application Testing Suite Installation HTTP Yes 8.1 Network High None None Un- changed High High High 12.5.0.2, 12.5.0.3 CVE-2017-10091 Enterprise Manager Base Platform UI Framework HTTP No 7.7 Network Low Low None Changed None High None 12.1.0, 13.1.0, 13.2.0 CVE-2015-7940 Oracle Business Transaction Management Security HTTP Yes 7.5 Network Low None None Un- changed High None None 11.1.x, 12.1.x CVE-2016-2381 Oracle Configuration Manager Installation Multiple No 6.5 Network Low Low None Un- changed None High None Prior to 12.1.2.0.4 CVE-2017-3732 Enterprise Manager Base Platform Discovery Framework HTTPS Yes 5.9 Network High None None Un- changed High None None 12.1.0, 13.1.0, 13.2.0 CVE-2017-3732 Enterprise Manager Ops Center Networking HTTPS Yes 5.9 Network High None None Un- changed High None None 12.2.2, 12.3.2 CVE-2016-3092 Enterprise Manager Ops Center Hosted Framework HTTP Yes 5.3 Network Low None None Un- changed None None Low 12.2.2, 12.3.2

Additional CVEs addressed are below:

The fix for CVE-2016-2381 also addresses CVE-2015-8607, and CVE-2015-8608.

The fix for CVE-2016-5387 also addresses CVE-2016-5385, CVE-2016-5386, and CVE-2016-5388.

Appendix - Oracle Applications

Oracle E-Business Suite Executive Summary

This Critical Patch Update contains 22 new security fixes for the Oracle E-Business Suite. 18 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle recommends that customers apply the July 2017 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Release 12 Critical Patch Update Knowledge Document (July 2017), My Oracle Support Note 2270270.1. Some of the risk matrix rows in this section are assigned multiple CVE#s. In these cases, additional CVEs are listed below the risk matrix to improve readability. Each group of CVE identifiers share the same description, vulnerability type, Component, Sub-Component and affected versions listed in the risk matrix entry, but occur in different code sections within a Sub-Component.

Oracle E-Business Suite Risk Matrix

CVE# Product Component Protocol Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes Base Score Attack Vector Attack Complex Privs Req'd User Interact Scope Confid­entiality Inte­grity Avail­ability CVE-2017-10246 Oracle Application Object Library iHelp HTTP Yes 8.2 Network Low None None Un- changed High Low None 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6 CVE-2017-10180 Oracle CRM Technical Foundation CMRO HTTP Yes 8.2 Network Low None Required Changed High Low None 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6 CVE-2017-10143 Oracle CRM Technical Foundation Preferences HTTP Yes 8.2 Network Low None Required Changed High Low None 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6 CVE-2017-10185 Oracle CRM Technical Foundation User Management HTTP Yes 8.2 Network Low None Required Changed High Low None 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6 CVE-2017-10113 Oracle Common Applications CRM User Management Framework HTTP Yes 8.2 Network Low None Required Changed High Low None 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6 CVE-2017-10170 Oracle Field Service Wireless/WAP HTTP Yes 8.2 Network Low None Required Changed High Low None 12.1.1, 12.1.2, 12.1.3 CVE-2017-10171 Oracle Marketing Home Page HTTP Yes 8.2 Network Low None Required Changed High Low None 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6 CVE-2017-10191 Oracle Web Analytics Common Libraries HTTP Yes 8.2 Network Low None Required Changed High Low None 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6 CVE-2017-10112 Oracle iStore User Registration HTTP Yes 8.2 Network Low None Required Changed High Low None 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6 CVE-2017-10174 Oracle iSupport Service Request HTTP Yes 8.2 Network Low None Required Changed High Low None 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6 CVE-2017-10177 Oracle Application Object Library Flexfields HTTP No 8.1 Network Low Low None Un- changed High High None 12.2.6 CVE-2017-10130 Oracle iStore User Management HTTP No 7.6 Network Low Low Required Changed High Low None 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6 CVE-2016-6304 Application Server OpenSSL HTTPS Yes 7.5 Network Low None None Un- changed None None High 12.1.3 CVE-2017-10144 Oracle Applications Manager Oracle Diagnostics Interfaces HTTP Yes 7.5 Network Low None None Un- changed None None High 12.1.3 CVE-2017-10245 Oracle General Ledger Account Hierarchy Manager HTTP Yes 7.5 Network Low None None Un- changed High None None 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6 CVE-2017-10179 Application Management Pack for Oracle E-Business Suite User Monitoring HTTP Yes 6.5 Network Low None None Un- changed Low Low None AMP 12.1.0.4.0, AMP 13.1.1.1.0 CVE-2017-3562 Oracle Applications DBA AD Utilities HTTP No 6.5 Network Low High None Un- changed High High None 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6 CVE-2017-10244 Oracle Application Object Library Attachments HTTP Yes 5.3 Network Low None None Un- changed Low None None 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6 CVE-2017-10184 Oracle Field Service Wireless/WAP HTTP Yes 5.3 Network Low None None Un- changed Low None None 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6 CVE-2017-10192 Oracle iStore Shopping Cart HTTP Yes 5.3 Network Low None None Un- changed Low None None 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6 CVE-2017-10186 Oracle iStore User and Company Profile HTTP Yes 5.3 Network Low None None Un- changed Low None None 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6 CVE-2017-10175 Oracle iSupport Profiles HTTP No 4.3 Network Low Low None Un- changed Low None None 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6

Additional CVEs addressed are below:

The fix for CVE-2016-6304 also addresses CVE-2016-2177, CVE-2016-2178, CVE-2016-2179, CVE-2016-2180, CVE-2016-2181, CVE-2016-2182, CVE-2016-2183, CVE-2016-6302, CVE-2016-6303, CVE-2016-6305, CVE-2016-6306, CVE-2016-6307, CVE-2016-6308, CVE-2016-6309, and CVE-2016-7052.

Oracle Supply Chain Products Suite Executive Summary

This Critical Patch Update contains 10 new security fixes for the Oracle Supply Chain Products Suite. 6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Supply Chain Products Suite Risk Matrix

CVE# Product Component Protocol Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes Base Score Attack Vector Attack Complex Privs Req'd User Interact Scope Confid­entiality Inte­grity Avail­ability CVE-2017-10039 Oracle Agile PLM Web Client HTTP No 6.8 Network Low Low Required Changed High None None 9.3.5, 9.3.6 CVE-2017-10052 Oracle Agile PLM PCMServlet HTTP Yes 6.1 Network Low None Required Changed Low Low None 9.3.5, 9.3.6 CVE-2017-10080 Oracle Agile PLM Security HTTP Yes 6.1 Network Low None Required Changed Low Low None 9.3.5, 9.3.6 CVE-2017-10082 Oracle Agile PLM Security HTTP Yes 6.1 Network Low None Required Changed Low Low None 9.3.5, 9.3.6 CVE-2017-10092 Oracle Agile PLM Security HTTP Yes 6.1 Network Low None Required Changed Low Low None 9.3.5, 9.3.6 CVE-2017-3732 Oracle Transportation Management Apache Webserver HTTP Yes 5.9 Network High None None Un- changed High None None 6.1, 6.2 CVE-2017-10094 Oracle Agile PLM Security HTTP No 5.4 Network Low Low Required Changed Low Low None 9.3.5, 9.3.6 CVE-2017-10032 Oracle Transportation Management Access Control List HTTP No 5.4 Network Low Low None Un- changed Low Low None 6.3.4.1, 6.3.5.1, 6.3.6.1, 6.3.7.1, 6.4.0, 6.4.1, 6.4.2 CVE-2017-10093 Oracle Agile PLM Security HTTP Yes 5.3 Network Low None None Un- changed Low None None 9.3.5, 9.3.6 CVE-2017-10088 Oracle Agile PLM Security None No 3.4 Local Low High None Un- changed Low Low None 9.3.5, 9.3.6

Oracle PeopleSoft Products Executive Summary

This Critical Patch Update contains 30 new security fixes for Oracle PeopleSoft Products. 20 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle PeopleSoft Products Risk Matrix

CVE# Product Component Protocol Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes Base Score Attack Vector Attack Complex Privs Req'd User Interact Scope Confid­entiality Inte­grity Avail­ability CVE-2017-10061 PeopleSoft Enterprise PeopleTools Integration Broker HTTP Yes 8.3 Network Low None None Changed Low Low Low 8.54, 8.55 CVE-2017-10146 PeopleSoft Enterprise PeopleTools Portal HTTP Yes 8.3 Network Low None None Changed Low Low Low 8.54, 8.55 CVE-2017-10019 PeopleSoft Enterprise PeopleTools Integration Broker HTTP Yes 7.4 Network Low None Required Changed High None None 8.54, 8.55 CVE-2017-10258 PeopleSoft Enterprise PRTL Interaction Hub Add New Image HTTP Yes 6.1 Network Low None Required Changed Low Low None 9.1.0 CVE-2017-10257 PeopleSoft Enterprise PRTL Interaction Hub Browse Folder Hierarchy HTTP Yes 6.1 Network Low None Required Changed Low Low None 9.1.0 CVE-2017-10215 PeopleSoft Enterprise PRTL Interaction Hub EPPCM_DEFN_CATG HTTP Yes 6.1 Network Low None Required Changed Low Low None 9.1.0 CVE-2017-10248 PeopleSoft Enterprise PRTL Interaction Hub EPPCM_HIER_TOP HTTP Yes 6.1 Network Low None Required Changed Low Low None 9.1.0 CVE-2017-10255 PeopleSoft Enterprise PRTL Interaction Hub EPPCM_HIER_TOP HTTP Yes 6.1 Network Low None Required Changed Low Low None 9.1.0 CVE-2017-10256 PeopleSoft Enterprise PRTL Interaction Hub EPPCM_HIER_TOP HTTP Yes 6.1 Network Low None Required Changed Low Low None 9.1.0 CVE-2017-10100 PeopleSoft Enterprise PRTL Interaction Hub HTML Area HTTP Yes 6.1 Network Low None Required Changed Low Low None 9.1.0 CVE-2017-10126 PeopleSoft Enterprise PRTL Interaction Hub HTML Area HTTP Yes 6.1 Network Low None Required Changed Low Low None 9.1.0 CVE-2017-10247 PeopleSoft Enterprise PRTL Interaction Hub HTML Area HTTP Yes 6.1 Network Low None Required Changed Low Low None 9.1.0 CVE-2017-10070 PeopleSoft Enterprise PRTL Interaction Hub Maintenance Folders HTTP Yes 6.1 Network Low None Required Changed Low Low None 9.1.0 CVE-2017-10249 PeopleSoft Enterprise PeopleTools Integration Broker HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.54, 8.55 CVE-2017-10021 PeopleSoft Enterprise PeopleTools PIA Search HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.54, 8.55 CVE-2017-10253 PeopleSoft Enterprise PeopleTools Pivot Grid HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.54, 8.55 CVE-2017-10106 PeopleSoft Enterprise PeopleTools Portal HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.54, 8.55 CVE-2017-10017 PeopleSoft Enterprise PeopleTools Workcenter HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.54, 8.55 CVE-2017-3731 PeopleSoft Enterprise PeopleTools Security HTTP Yes 5.9 Network High None None Un- changed High None None 8.54, 8.55 CVE-2017-10134 PeopleSoft Enterprise FSCM eProcurement HTTP No 5.4 Network Low Low Required Changed Low Low None 9.2 CVE-2017-10057 PeopleSoft Enterprise PRTL Interaction Hub Discussion Forum HTTP No 5.4 Network Low Low Required Changed Low Low None 9.1.0 CVE-2017-10027 PeopleSoft Enterprise PeopleTools Fluid Homepage & Navigation HTTP No 5.4 Network Low Low Required Changed Low Low None 8.54, 8.55 CVE-2017-10045 PeopleSoft Enterprise PeopleTools Integration Broker HTTP Yes 5.3 Network High None Required Un- changed High None None 8.54, 8.55 CVE-2017-10015 PeopleSoft Enterprise PeopleTools Application Designer None No 4.7 Local High Low None Un- changed High None None 8.54, 8.55 CVE-2017-10251 PeopleSoft Enterprise PeopleTools Test Framework None No 4.7 Local High Low None Un- changed High None None 8.54, 8.55 CVE-2017-10250 PeopleSoft Enterprise PeopleTools Tuxedo None No 4.7 Local High Low None Un- changed High None None 8.54, 8.55 CVE-2017-10020 PeopleSoft Enterprise PeopleTools Updates Change Assistant None No 4.7 Local High Low None Un- changed High None None 8.54, 8.55 CVE-2017-10252 PeopleSoft Enterprise PeopleTools Updates Change Assistant None No 4.7 Local High Low None Un- changed High None None 8.54, 8.55 CVE-2017-10018 PeopleSoft Enterprise FSCM Strategic Sourcing HTTP No 4.3 Network Low Low None Un- changed None Low None 9.2 CVE-2017-10254 PeopleSoft Enterprise FSCM Staffing Front Office HTTP No 2.7 Network Low High None Un- changed Low None None 9.2

Additional CVEs addressed are below:

The fix for CVE-2017-3731 also addresses CVE-2016-7055.

Oracle Siebel CRM Executive Summary

This Critical Patch Update contains 1 new security fix for Oracle Siebel CRM. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Siebel CRM Risk Matrix

CVE# Product Component Protocol Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes Base Score Attack Vector Attack Complex Privs Req'd User Interact Scope Confid­entiality Inte­grity Avail­ability CVE-2017-10049 Siebel Core CRM Search HTTP Yes 6.1 Network Low None Required Changed Low Low None 16.0, 17.0

Oracle Commerce Executive Summary

This Critical Patch Update contains 1 new security fix for Oracle Commerce. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Commerce Risk Matrix

CVE# Product Component Protocol Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes Base Score Attack Vector Attack Complex Privs Req'd User Interact Scope Confid­entiality Inte­grity Avail­ability CVE-2017-3732 Oracle Commerce Guided Search / Oracle Commerce Experience Manager Platform Services HTTPS Yes 5.9 Network High None None Un- changed High None None 6.1.4, 11.0, 11.1, 11.2

Oracle iLearning Executive Summary

This Critical Patch Update contains 1 new security fix for Oracle iLearning. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle iLearning Risk Matrix

CVE# Product Component Protocol Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes Base Score Attack Vector Attack Complex Privs Req'd User Interact Scope Confid­entiality Inte­grity Avail­ability CVE-2017-10199 Oracle iLearning Learner Pages HTTP Yes 8.2 Network Low None Required Changed High Low None 6.2

Appendix - Oracle Communications Applications

Oracle Communications Applications Executive Summary

This Critical Patch Update contains 11 new security fixes for Oracle Communications Applications. 9 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Communications Applications Risk Matrix

CVE# Product Component Protocol Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes Base Score Attack Vector Attack Complex Privs Req'd User Interact Scope Confid­entiality Inte­grity Avail­ability CVE-2015-3253 Oracle Communications BRM Elastic Charging Engine (Apache Groovy) HTTP Yes 9.8 Network Low None None Un- changed High High High 11.2.0.0.0, 11.3.0.0.0 CVE-2015-0235 Oracle Communications Policy Management Platform (GlibC) HTTP Yes 9.8 Network Low None None Un- changed High High High 11.5 CVE-2015-7501 Oracle Communications BRM Elastic Charging Engine (Apache Commons Collections) HTTP No 8.8 Network Low Low None Un- changed High High High 11.2.0.0.0 CVE-2016-0635 Oracle Communications BRM Elastic Charging Engine (Spring) HTTP No 8.8 Network Low Low None Un- changed High High High 11.2.0.0.0, 11.3.0.0.0 CVE-2016-2107 Oracle Communications Session Router Routing (OpenSSL) TLS Yes 8.2 Network Low None None Un- changed Low None High SCZ730, SCZ740, ECZ730 CVE-2016-2107 Oracle Enterprise Communications Broker Routing (OpenSSL) TLS Yes 8.2 Network Low None None Un- changed Low None High PCZ210 CVE-2015-7940 Oracle Communications Convergence Mail Proxy (Bouncy Castle) HTTP Yes 7.5 Network Low None None Un- changed High None None 3.0, 3.0.1 CVE-2016-6304 Oracle Enterprise Session Border Controller Routing (OpenSSL) TLS Yes 7.5 Network Low None None Un- changed None None High ECZ7.3.0 CVE-2017-10031 Oracle Communications Convergence Mail Proxy (dojo) HTTP Yes 7.2 Network Low None None Changed Low Low None 3.0, 3.0.1 CVE-2016-2107 Oracle Communications EAGLE LNP Application Processor Platform (OpenSSL) TLS Yes 5.9 Network High None None Un- changed High None None 10.0 CVE-2017-3732 Oracle Communications Network Charging and Control Common fns (OpenSSL) TLS Yes 5.9 Network High None None Un- changed High None None 4.4.1.5, 5.0.0.1, 5.0.0.2, 5.0.1.0, 5.0.2.0

Additional CVEs addressed are below:

The fix for CVE-2016-2107 also addresses CVE-2014-0224, CVE-2014-3571, CVE-2015-0286, CVE-2015-0286, CVE-2015-1788, CVE-2015-1788, CVE-2015-1789, CVE-2015-1789, CVE-2015-1790, CVE-2015-1790, CVE-2015-1791, CVE-2015-1791, CVE-2015-1792, CVE-2015-1792, CVE-2015-3195, CVE-2015-3195, CVE-2015-3197, CVE-2015-3197, CVE-2016-2105, CVE-2016-2105, CVE-2016-2106, CVE-2016-2106, CVE-2016-2108, CVE-2016-2108, CVE-2016-2109, and CVE-2016-2109.

The fix for CVE-2016-6304 also addresses CVE-2016-2177, CVE-2016-2178, CVE-2016-2179, CVE-2016-2180, CVE-2016-2181, CVE-2016-2182, CVE-2016-2183, CVE-2016-6302, CVE-2016-6303, CVE-2016-6305, CVE-2016-6306, CVE-2016-6307, CVE-2016-6308, CVE-2016-6309, and CVE-2016-7052.

Appendix - Oracle Financial Services Applications

Oracle Financial Services Applications Executive Summary

This Critical Patch Update contains 20 new security fixes for Oracle Financial Services Applications. 4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Financial Services Applications Risk Matrix

CVE# Product Component Protocol Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes Base Score Attack Vector Attack Complex Privs Req'd User Interact Scope Confid­entiality Inte­grity Avail­ability CVE-2016-0635 Financial Services Behavior Detection Platform Admin Tool (Spring) HTTP No 8.8 Network Low Low None Un- changed High High High 8.0.1, 8.0.2 CVE-2016-3092 Oracle Banking Platform Collections (Apache Commons FileUpload) HTTP Yes 7.5 Network Low None None Un- changed None None High 2.3, 2.4, 2.4.1, 2.5 CVE-2017-10085 Oracle FLEXCUBE Universal Banking Infrastructure HTTP No 7.1 Network Low Low None Un- changed High Low None 11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0 CVE-2017-10181 Oracle FLEXCUBE Direct Banking Forgot Password HTTP No 6.8 Network Low Low Required Un- changed Low Low High 12.0.2, 12.0.3 CVE-2017-10006 Oracle FLEXCUBE Private Banking Miscellaneous HTTP No 6.5 Network Low Low None Un- changed None High None 2.0.0, 2.0.1, 2.2.0, 12.0.1 CVE-2017-10103 Oracle FLEXCUBE Private Banking Miscellaneous HTTP No 6.5 Network Low Low None Un- changed High None None 2.0.0, 2.0.1, 2.2.0, 12.0.1 CVE-2017-10023 Oracle FLEXCUBE Private Banking Operations HTTP No 6.5 Network Low Low None Un- changed High None None 2.0.0, 2.0.1, 2.2.0, 12.0.1 CVE-2017-10084 Oracle FLEXCUBE Universal Banking Report Generator HTTP No 6.5 Network Low Low None Un- changed High None None 11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0 CVE-2017-10005 Oracle FLEXCUBE Private Banking Miscellaneous HTTP Yes 6.1 Network Low None Required Changed Low Low None 2.0.0, 2.0.1, 2.2.0, 12.0.1 CVE-2017-10083 Oracle FLEXCUBE Universal Banking Infrastructure HTTP Yes 6.1 Network Low None Required Changed Low Low None 11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0 CVE-2017-10011 Oracle FLEXCUBE Private Banking Miscellaneous None No 5.5 Local Low Low None Un- changed High None None 2.0.0, 2.0.1, 2.2.0, 12.0.1 CVE-2017-10012 Oracle FLEXCUBE Private Banking Operations HTTP No 5.4 Network Low Low None Un- changed Low Low None 2.0.0, 2.0.1, 2.2.0, 12.0.1 CVE-2017-10072 Oracle FLEXCUBE Universal Banking All Modules HTTP No 5.4 Network Low Low None Un- changed Low Low None 11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0 CVE-2017-10073 Oracle FLEXCUBE Universal Banking Infrastructure HTTP No 5.4 Network Low Low Required Changed Low Low None 11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0 CVE-2017-10098 Oracle FLEXCUBE Universal Banking Infrastructure HTTP No 5.4 Network Low Low None Un- changed Low Low None 11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0 CVE-2017-10010 Oracle FLEXCUBE Private Banking FileUploads HTTP No 4.6 Network Low Low Required Un- changed Low Low None 2.0.0, 2.0.1, 2.2.0, 12.0.1 CVE-2017-10009 Oracle FLEXCUBE Private Banking Miscellaneous HTTP No 4.3 Network Low Low None Un- changed None Low None 2.0.0, 2.0.1, 2.2.0, 12.0.1 CVE-2017-10007 Oracle FLEXCUBE Private Banking Miscellaneous HTTP No 4.3 Network Low Low None Un- changed Low None None 2.0.0, 2.0.1, 2.2.0, 12.0.1 CVE-2017-10008 Oracle FLEXCUBE Private Banking Miscellaneous HTTP No 4.3 Network Low Low None Un- changed Low None None 2.0.0, 2.0.1, 2.2.0, 12.0.1 CVE-2017-10022 Oracle FLEXCUBE Private Banking Operations HTTP No 4.3 Network Low Low None Un- changed Low None None 2.0.0, 2.0.1, 2.2.0, 12.0.1 CVE-2017-10071 Oracle FLEXCUBE Universal Banking All Modules HTTP Yes 4.3 Network Low None Required Un- changed None Low None 11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0

Appendix - Oracle Hospitality Applications

Oracle Hospitality Applications Executive Summary

This Critical Patch Update contains 48 new security fixes for Oracle Hospitality Applications. 11 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Hospitality Applications Risk Matrix

CVE# Product Component Protocol Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes Base Score Attack Vector Attack Complex Privs Req'd User Interact Scope Confid­entiality Inte­grity Avail­ability CVE-2017-5689 MICROS PC Workstation 2015 BIOS (Intel AMT) HTTP Yes 9.8 Network Low None None Un- changed High High High Prior to O1302h See Note 1 CVE-2017-5689 MICROS Workstation 650 BIOS (Intel AMT) HTTP Yes 9.8 Network Low None None Un- changed High High High Prior to E1500n See Note 2 CVE-2017-10000 Oracle Hospitality Reporting and Analytics Reporting HTTP No 7.7 Network Low Low None Changed None None High 8.5.1, 9.0.0 CVE-2017-10232 Hospitality WebSuite8 Cloud Service General HTTP No 7.6 Network Low Low None Un- changed High Low Low 8.9.6, 8.10.x CVE-2017-10001 Oracle Hospitality Simphony First Edition Core HTTP No 7.6 Network Low Low Required Un- changed High Low High 1.7.1 CVE-2017-10136 Oracle Hospitality Simphony Import/Export HTTP Yes 7.5 Network Low None None Un- changed High None None 2.9 CVE-2017-10206 Oracle Hospitality Simphony Engagement HTTP Yes 7.3 Network Low None None Un- changed Low Low Low 2.9 CVE-2017-10226 Oracle Hospitality Cruise Fleet Management Fleet Management System Suite HTTP No 7.1 Network Low Low None Un- changed High Low None 9.0 CVE-2017-10225 Oracle Hospitality RES 3700 OPS Operations NA No 7.0 Physical High Low None Changed High High Low 5.5 CVE-2017-10216 Hospitality Property Interfaces Parser HTTP No 6.5 Network Low Low None Un- changed High None None 8.10.x CVE-2017-10212 Hospitality Suite8 WebConnect HTTP No 6.5 Network Low Low None Un- changed High None None 8.10.x CVE-2017-10047 MICROS BellaVita Interface HTTP Yes 6.5 Network Low None None Un- changed Low Low None 2.7.x CVE-2017-10224 Oracle Hospitality Inventory Management Inventory and Count Cycle HTTP No 6.4 Network Low Low None Changed Low Low None 8.5.1, 9.0.0 CVE-2017-10076 Oracle Hospitality Simphony First Edition Venue Management Core HTTP No 6.4 Network Low Low None Changed Low Low None 3.9 CVE-2017-10211 Hospitality Suite8 WebConnect HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.10.x CVE-2017-10128 Hospitality WebSuite8 Cloud Service General HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.9.6, 8.10.x CVE-2017-10064 Hospitality WebSuite8 Cloud Service General HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.9.6, 8.10.x CVE-2017-10097 Oracle Hospitality Reporting and Analytics Reporting HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.5.1, 9.0.0 CVE-2017-10079 Oracle Hospitality Suites Management Core HTTP Yes 6.1 Network Low None Required Changed Low Low None 3.7 CVE-2017-10188 Hospitality Hotel Mobile Suite 8/Android None No 5.5 Local Low Low None Un- changed High None None 1.01 CVE-2017-10189 Hospitality Suite8 Leisure None No 5.5 Local Low Low None Un- changed High None None 8.10.x CVE-2017-10169 Oracle Hospitality 9700 Operation Security None No 5.5 Local Low Low None Un- changed High None None 4.0 CVE-2017-10056 Oracle Hospitality 9700 Property Management Systems None No 5.5 Local Low Low None Un- changed High None None 4.0 CVE-2017-10231 Oracle Hospitality Cruise AffairWhere AWExport None No 5.5 Local Low Low None Un- changed High None None 2.2.05.062 CVE-2017-10219 Oracle Hospitality Guest Access Base None No 5.5 Local Low Low None Un- changed High None None 4.2.0.0, 4.2.1.0 CVE-2017-10201 Oracle Hospitality e7 Other None No 5.5 Local Low Low None Un- changed High None None 4.2.1 CVE-2017-10230 Oracle Hospitality Cruise Dining Room Management SilverWhere HTTP No 5.4 Network Low Low None Un- changed Low Low None 8.0.75 CVE-2017-10229 Oracle Hospitality Cruise Materials Management Event Viewer HTTP No 5.4 Network Low Low None Un- changed Low Low None 7.30.562 CVE-2017-10228 Oracle Hospitality Cruise Shipboard Property Management System Module HTTP No 5.4 Network Low Low None Un- changed Low Low None 8.0.0.0 CVE-2017-10002 Oracle Hospitality Inventory Management Settings and Config HTTP No 5.4 Network Low Low None Un- changed Low Low None 8.5.1, 9.0.0 CVE-2017-10222 Oracle Hospitality Materials Control Production Tool HTTP No 5.4 Network Low Low None Un- changed Low Low None 8.31.4, 8.32.0 CVE-2017-10223 Oracle Hospitality Materials Control Purchasing HTTP No 5.4 Network Low Low None Un- changed Low Low None 8.31.4, 8.32.0 CVE-2017-10142 Oracle Hospitality Reporting and Analytics Mobile Apps HTTP No 5.4 Network Low Low None Un- changed Low Low None 8.5.1, 9.0.0 CVE-2017-10044 Oracle Hospitality Reporting and Analytics Reporting HTTP No 5.4 Network Low Low None Un- changed Low Low None 8.5.1, 9.0.0 CVE-2017-10207 Oracle Hospitality Simphony Utilities HTTP Yes 5.3 Network Low None None Un- changed None None Low 2.9 CVE-2017-10069 Oracle Payment Interface Core HTTP No 5.3 Network High Low None Un- changed High None None 6.1.1 CVE-2017-10221 Oracle Hospitality RES 3700 OPS Operations None No 5.0 Local High Low Required Changed Low Low Low 5.5 CVE-2017-10168 Hospitality Hotel Mobile Suite 8/Windows NA No 4.6 Physical High Low None Un- changed High None Low 1.1 CVE-2017-10182 Oracle Hospitality OPERA 5 Property Services OPERA Export Functionality HTTP No 4.4 Network High High None Un- changed High None None 5.4.0.x, 5.4.1.x, 5.4.3.x CVE-2017-10200 Oracle Hospitality e7 Other None No 4.4 Local Low Low None Un- changed Low Low None 4.2.1 CVE-2017-10133 Hospitality Hotel Mobile Suite8/RestAPI HTTP No 4.3 Network Low Low None Un- changed None Low None 1.1 CVE-2017-10132 Hospitality Hotel Mobile Suite8/iOS HTTP No 4.3 Network Low Low None Un- changed None Low None 1.05 CVE-2017-10217 Oracle Hospitality Guest Access Base HTTP No 4.3 Network Low Low None Un- changed None Low None 4.2.0.0, 4.2.1.0 CVE-2017-10218 Oracle Hospitality Guest Access Base HTTP No 4.3 Network Low Low None Un- changed Low None None 4.2.0.0, 4.2.1.0 CVE-2017-10205 Oracle Hospitality Simphony Enterprise Management Console HTTP No 4.3 Network Low Low None Un- changed Low None None 2.9 CVE-2017-10195 Oracle Hospitality Simphony Import/Export HTTP Yes 4.3 Network Low None Required Un- changed None Low None 2.8 CVE-2017-10208 Oracle Hospitality e7 Other SMTP No 4.3 Network Low Low None Un- changed Low None None 4.2.1 CVE-2017-10220 Hospitality Property Interfaces Parser None No 4.0 Local Low None None Un- changed Low None None 8.10.x CVE-2017-10213 Hospitality Suite8 WebConnect None No 4.0 Local Low None None Un- changed Low None None 8.10.x

Notes:

MICROS PC Workstation 2015 systems with Intel ME firmware 6.2.61.3535 or later are not affected by this issue. See Patch Availability document for MICROS PC Workstation 2015 for identifying the Intel ME firmware version on this device. MICROS Workstation 650 systems running Intel ME firmware 10.0.55.3000 or later are not affected by this issue. See Patch Availability document for MICROS Workstation 650 for identifying the Intel ME firmware version on this device.

Appendix - Oracle Retail Applications

Oracle Retail Applications Executive Summary

This Critical Patch Update contains 8 new security fixes for Oracle Retail Applications. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Retail Applications Risk Matrix

CVE# Product Component Protocol Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes Base Score Attack Vector Attack Complex Privs Req'd User Interact Scope Confid­entiality Inte­grity Avail­ability CVE-2017-5689 MICROS PC Workstation 2015 BIOS (Intel AMT) HTTP Yes 9.8 Network Low None None Un- changed High High High Prior to O1302h See Note 1 CVE-2017-5689 MICROS Workstation 650 BIOS (Intel AMT) HTTP Yes 9.8 Network Low None None Un- changed High High High Prior to E1500n See Note 2 CVE-2016-6814 Oracle Retail Allocation Manage Allocation HTTP Yes 9.6 Network Low None Required Changed High High High 13.3.1, 14.0.4, 14.1.3, 15.0.1, 16.0.1 CVE-2016-6814 Oracle Retail Customer Insights ODI Configuration HTTP Yes 9.6 Network Low None Required Changed High High High 15.0, 16.0 CVE-2017-10214 Oracle Retail Xstore Point of Service Xstore Office HTTP Yes 8.2 Network Low None None Un- changed High Low None 6.0.x, 6.5.x, 7.0.x, 7.1.x, 15.0.x, 16.0.0 CVE-2016-3506 Oracle Retail Warehouse Management System Installers Oracle Net Yes 8.1 Network High None None Un- changed High High High 14.0.4, 14.1.3, 15.0.1 CVE-2016-3506 Oracle Retail Workforce Management Installation Oracle Net Yes 8.1 Network High None None Un- changed High High High 1.60.7, 1.64.0 CVE-2017-10183 Oracle Retail Xstore Point of Service Point of Sale HTTP Yes 6.5 Network High None None Changed Low Low Low 6.0.x, 6.5.x, 7.0.x, 7.1.x, 15.0.x, 16.0.0 CVE-2017-10172 Oracle Retail Open Commerce Platform Framework HTTP Yes 6.1 Network Low None Required Changed Low Low None 5.0, 5.1, 5.2, 5.3, 6.0, 6.1, 15.0, 15.1 CVE-2017-10173 Oracle Retail Open Commerce Platform Website HTTP Yes 5.8 Network Low None None Changed None Low None 5.0, 5.1, 5.2, 5.3, 6.0, 6.1, 15.0, 15.1

Notes:

MICROS PC Workstation 2015 systems with Intel ME firmware 6.2.61.3535 or later are not affected by this issue. See Patch Availability document for MICROS PC Workstation 2015 for identifying the Intel ME firmware version on this device. MICROS Workstation 650 systems running Intel ME firmware 10.0.55.3000 or later are not affected by this issue. See Patch Availability document for MICROS Workstation 650 for identifying the Intel ME firmware version on this device.

Appendix - Oracle Policy Automation

Oracle Policy Automation Executive Summary

This Critical Patch Update contains 1 new security fix for Oracle Policy Automation. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Policy Automation Risk Matrix

CVE# Product Component Protocol Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes Base Score Attack Vector Attack Complex Privs Req'd User Interact Scope Confid­entiality Inte­grity Avail­ability CVE-2016-3092 Oracle Policy Automation Determinations Engine (Apache Commons FileUplaod) HTTP Yes 7.5 Network Low None None Un- changed None None High 12.1.0, 12.1.1, 12.2.0, 12.2.1, 12.2.2, 12.2.3

Appendix - Oracle Primavera Products Suite

Oracle Primavera Products Suite Executive Summary

This Critical Patch Update contains 9 new security fixes for the Oracle Primavera Products Suite. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Primavera Products Suite Risk Matrix

CVE# Product Component Protocol Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes Base Score Attack Vector Attack Complex Privs Req'd User Interact Scope Confid­entiality Inte­grity Avail­ability CVE-2016-6814 Primavera Gateway Primavera Integration (Groovy) HTTP Yes 9.6 Network Low None Required Changed High High High 1.0, 1.1, 14.2, 15.1, 15.2, 16.1, 16.2 CVE-2016-5019 Primavera P6 Enterprise Project Portfolio Management Web Access (Apache Trinidad) HTTP No 8.8 Network Low Low None Un- changed High High High 8.3, 8.4, 15.1, 15.2 CVE-2015-0254 Primavera Gateway Primavera Integration (Standard) HTTP No 6.5 Network Low Low Required Changed Low Low Low 1.0, 1.1, 14.2, 15.1, 15.2, 16.1, 16.2 CVE-2017-10038 Primavera P6 Enterprise Project Portfolio Management Web Access HTTP No 6.5 Network Low Low None Un- changed High None None 15.1, 15.2, 16.1, 16.2 CVE-2017-10131 Primavera P6 Enterprise Project Portfolio Management Web Access HTTP No 6.5 Network Low Low Required Changed Low Low Low 8.3, 8.4, 15.1, 15.2, 16.1, 16.2 CVE-2017-10046 Primavera P6 Enterprise Project Portfolio Management Web Access HTTP No 5.4 Network Low Low Required Changed Low Low None 8.3, 8.4, 15.1, 15.2, 16.1 CVE-2017-10149 Primavera Unifier Platform HTTP No 4.8 Network Low High Required Changed Low Low None 9.13, 9.14, 10.1, 10.2, 15.1, 15.2, 16.1, 16.2 CVE-2017-10160 Primavera P6 Enterprise Project Portfolio Management Web Access HTTP No 4.3 Network Low Low None Un- changed Low None None 8.3, 8.4, 15.1, 15.2, 16.1, 16.2 CVE-2017-10150 Primavera Unifier Platform HTTP No 4.3 Network Low Low None Un- changed None Low None 9.13, 9.14, 10.1, 10.2, 15.1, 15.2, 16.1, 16.2

Appendix - Oracle Java SE

Oracle Java SE Executive Summary

This Critical Patch Update contains 32 new security fixes for Oracle Java SE. 28 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

The CVSS scores below assume that a user running a Java applet or Java Web Start application has administrator privileges (typical on Windows). When the user does not run with administrator privileges (typical on Solaris and Linux), the corresponding CVSS impact scores for Confidentiality, Integrity, and Availability are "Low" instead of "High", lowering the CVSS Base Score. For example, a Base Score of 9.6 becomes 7.1.

Users should only use the default Java Plug-in and Java Web Start from the latest JDK or JRE 8 releases.

Oracle Java SE Risk Matrix

CVE# Product Component Protocol Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes Base Score Attack Vector Attack Complex Privs Req'd User Interact Scope Confid­entiality Inte­grity Avail­ability CVE-2017-10110 Java SE AWT Multiple Yes 9.6 Network Low None Required Changed High High High Java SE: 6u151, 7u141, 8u131 See Note 1 CVE-2017-10089 Java SE ImageIO Multiple Yes 9.6 Network Low None Required Changed High High High Java SE: 6u151, 7u141, 8u131 See Note 1 CVE-2017-10086 Java SE JavaFX Multiple Yes 9.6 Network Low None Required Changed High High High Java SE: 7u141, 8u131 See Note 1 CVE-2017-10096 Java SE, Java SE Embedded JAXP Multiple Yes 9.6 Network Low None Required Changed High High High Java SE: 6u151, 7u141, 8u131; Java SE Embedded: 8u131 See Note 1 CVE-2017-10101 Java SE, Java SE Embedded JAXP Multiple Yes 9.6 Network Low None Required Changed High High High Java SE: 6u151, 7u141, 8u131; Java SE Embedded: 8u131 See Note 1 CVE-2017-10087 Java SE, Java SE Embedded Libraries Multiple Yes 9.6 Network Low None Required Changed High High High Java SE: 6u151, 7u141, 8u131; Java SE Embedded: 8u131 See Note 1 CVE-2017-10090 Java SE, Java SE Embedded Libraries Multiple Yes 9.6 Network Low None Required Changed High High High Java SE: 7u141, 8u131; Java SE Embedded: 8u131 See Note 1 CVE-2017-10111 Java SE, Java SE Embedded Libraries Multiple Yes 9.6 Network Low None Required Changed High High High Java SE: 8u131; Java SE Embedded: 8u131 See Note 1 CVE-2017-10107 Java SE, Java SE Embedded RMI Multiple Yes 9.6 Network Low None Required Changed High High High Java SE: 6u151, 7u141, 8u131; Java SE Embedded: 8u131 See Note 1 CVE-2017-10102 Java SE, Java SE Embedded RMI Multiple Yes 9.0 Network High None None Changed High High High Java SE: 6u151, 7u141, 8u131; Java SE Embedded: 8u131 See Note 2 CVE-2017-10114 Java SE JavaFX Multiple Yes 8.3 Network High None Required Changed High High High Java SE: 7u141, 8u131 See Note 1 CVE-2017-10074 Java SE, Java SE Embedded Hotspot Multiple Yes 8.3 Network High None Required Changed High High High Java SE: 6u151, 7u141, 8u131; Java SE Embedded: 8u131 See Note 1 CVE-2017-10116 Java SE, Java SE Embedded, JRockit Security Multiple Yes 8.3 Network High None Required Changed High High High Java SE: 6u151, 7u141, 8u131; Java SE Embedded: 8u131; JRockit: R28.3.14 See Note 3 CVE-2017-10078 Java SE Scripting Multiple No 8.1 Network Low Low None Un- changed High High None Java SE: 8u131 See Note 3 CVE-2017-10067 Java SE Security Multiple Yes 7.5 Network High None Required Un- changed High High High Java SE: 6u151, 7u141, 8u131 See Note 1 CVE-2017-10115 Java SE, Java SE Embedded, JRockit JCE Multiple Yes 7.5 Network Low None None Un- changed High None None Java SE: 6u151, 7u141, 8u131; Java SE Embedded: 8u131; JRockit: R28.3.14 See Note 3 CVE-2017-10118 Java SE, Java SE Embedded, JRockit JCE Multiple Yes 7.5 Network Low None None Un- changed High None None Java SE: 7u141, 8u131; Java SE Embedded: 8u131; JRockit: R28.3.14 See Note 3 CVE-2017-10176 Java SE, Java SE Embedded, JRockit Security Multiple Yes 7.5 Network Low None None Un- changed High None None Java SE: 7u141, 8u131; Java SE Embedded: 8u131; JRockit: R28.3.14 See Note 3 CVE-2017-10104 Java Advanced Management Console Server HTTP No 7.4 Network Low Low None Changed Low Low Low Java Advanced Management Console: 2.6 CVE-2017-10145 Java Advanced Management Console Server Multiple No 7.4 Network Low Low None Changed Low Low Low Java Advanced Management Console: 2.6 CVE-2017-10125 Java SE Deployment None No 7.1 Physical High None None Changed High High High Java SE: 7u141, 8u131 See Note 4 CVE-2017-10198 Java SE, Java SE Embedded, JRockit Security Multiple Yes 6.8 Network High None None Changed High None None Java SE: 6u151, 7u141, 8u131; Java SE Embedded: 8u131; JRockit: R28.3.14 See Note 3 CVE-2017-10243 Java SE, Java SE Embedded, JRockit JAX-WS Multiple Yes 6.5 Network Low None None Un- changed Low None Low Java SE: 6u151, 7u141, 8u131; Java SE Embedded: 8u131; JRockit: R28.3.14 See Note 3 CVE-2017-10121 Java Advanced Management Console Server HTTP Yes 6.1 Network Low None Required Changed Low Low None Java Advanced Management Console: 2.6 CVE-2017-10135 Java SE, Java SE Embedded, JRockit JCE Multiple Yes 5.9 Network High None None Un- changed High None None Java SE: 6u151, 7u141, 8u131; Java SE Embedded: 8u131; JRockit: R28.3.14 See Note 3 CVE-2017-10117 Java Advanced Management Console Server HTTP Yes 5.3 Network Low None None Un- changed Low None None Java Advanced Management Console: 2.6 CVE-2017-10053 Java SE, Java SE Embedded, JRockit 2D Multiple Yes 5.3 Network Low None None Un- changed None None Low Java SE: 6u151, 7u141, 8u131; Java SE Embedded: 8u131; JRockit: R28.3.14 See Note 3 CVE-2017-10108 Java SE, Java SE Embedded, JRockit Serialization Multiple Yes 5.3 Network Low None None Un- changed None None Low Java SE: 6u151, 7u141, 8u131; Java SE Embedded: 8u131; JRockit: R28.3.14 See Note 3 CVE-2017-10109 Java SE, Java SE Embedded, JRockit Serialization Multiple Yes 5.3 Network Low None None Un- changed None None Low Java SE: 6u151, 7u141, 8u131; Java SE Embedded: 8u131; JRockit: R28.3.14 See Note 1 CVE-2017-10105 Java SE Deployment Multiple Yes 4.3 Network Low None Required Un- changed None Low None Java SE: 6u151, 7u141, 8u131 See Note 1 CVE-2017-10081 Java SE, Java SE Embedded Hotspot Multiple Yes 4.3 Network Low None Required Un- changed None Low None Java SE: 6u151, 7u141, 8u131; Java SE Embedded: 8u131 See Note 1 CVE-2017-10193 Java SE, Java SE Embedded Security Multiple Yes 3.1 Network High None Required Un- changed Low None None Java SE: 6u151, 7u141, 8u131; Java SE Embedded: 8u131 See Note 1

Notes:

This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. Applies to deployment of Java where the Java Auto Update is enabled.

Appendix - Oracle Sun Systems Products Suite

Oracle Sun Systems Products Suite Executive Summary

This Critical Patch Update contains 11 new security fixes for the Oracle Sun Systems Products Suite. 5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Sun Systems Products Suite Risk Matrix

CVE# Product Component Protocol Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes Base Score Attack Vector Attack Complex Privs Req'd User Interact Scope Confid­entiality Inte­grity Avail­ability CVE-2017-3632 Solaris CDE Calendar TCP Yes 9.8 Network Low None None Un- changed High High High 10, 11 See Note 1 CVE-2017-10013 Sun ZFS Storage Appliance Kit (AK) User Interface HTTP Yes 8.3 Network High None Required Changed High High High AK 2013 CVE-2017-10042 Solaris IKE IKE Yes 7.5 Network Low None None Un- changed None None High 10, 11 CVE-2017-10036 Solaris NFSv4 NFSv4 Yes 7.5 Network Low None None Un- changed None None High 10, 11 CVE-2017-10016 Sun ZFS Storage Appliance Kit (AK) User Interface HTTP Yes 7.5 Network High None Required Un- changed High High High AK 2013 CVE-2017-10234 Solaris Cluster NAS device addition None No 7.3 Local Low Low Required Un- changed High High High 4 CVE-2017-10004 Solaris Kernel None No 6.7 Local Low High None Un- changed High High High 10, 11 CVE-2017-10062 Solaris Oracle Java Web Console None No 5.3 Local Low Low None Un- changed Low Low Low 10 CVE-2017-10003 Solaris Network Services Library None No 4.5 Local High Low None Un- changed Low Low Low 10 CVE-2017-10095 Solaris Kernel None No 3.3 Local Low None Required Un- changed None Low None 11 CVE-2017-10122 Solaris Kernel None No 1.8 Local High High Required Un- changed None Low None 10, 11

Notes:

CVE-2017-3632 is assigned to the "EASYSTREET" vulnerability.

Appendix - Oracle Linux and Virtualization

Oracle Virtualization Executive Summary

This Critical Patch Update contains 14 new security fixes for Oracle Virtualization. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Virtualization Risk Matrix

CVE# Product Component Protocol Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes Base Score Attack Vector Attack Complex Privs Req'd User Interact Scope Confid­entiality Inte­grity Avail­ability CVE-2017-10204 Oracle VM VirtualBox Core None No 8.8 Local Low Low None Changed High High High Prior to 5.1.24 CVE-2017-10129 Oracle VM VirtualBox Core None No 8.8 Local Low Low None Changed High High High Prior to 5.1.24 CVE-2017-10210 Oracle VM VirtualBox Core None No 7.3 Local Low High None Changed Low Low High Prior to 5.1.24 CVE-2017-10233 Oracle VM VirtualBox Core None No 7.3 Local Low Low None Changed None Low High Prior to 5.1.24 CVE-2017-10236 Oracle VM VirtualBox Core None No 7.3 Local Low High None Changed Low Low High Prior to 5.1.24 CVE-2017-10237 Oracle VM VirtualBox Core None No 7.3 Local Low High None Changed Low Low High Prior to 5.1.24 CVE-2017-10238 Oracle VM VirtualBox Core None No 7.3 Local Low High None Changed Low Low High Prior to 5.1.24 CVE-2017-10239 Oracle VM VirtualBox Core None No 7.3 Local Low High None Changed Low Low High Prior to 5.1.24 CVE-2017-10240 Oracle VM VirtualBox Core None No 7.3 Local Low High None Changed Low Low High Prior to 5.1.24 CVE-2017-10241 Oracle VM VirtualBox Core None No 7.3 Local Low High None Changed Low Low High Prior to 5.1.24 CVE-2017-10242 Oracle VM VirtualBox Core None No 7.3 Local Low High None Changed Low Low High Prior to 5.1.24 CVE-2017-10235 Oracle VM VirtualBox Core None No 6.7 Local Low High None Changed None Low High Prior to 5.1.24 CVE-2017-10209 Oracle VM VirtualBox Core None No 5.2 Local Low Low None Changed Low None Low Prior to 5.1.24 CVE-2017-10187 Oracle VM VirtualBox Core None No 4.6 Local Low High None Changed None Low Low Prior to 5.1.24

Appendix - Oracle MySQL

Oracle MySQL Executive Summary

This Critical Patch Update contains 30 new security fixes for Oracle MySQL. 9 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle MySQL Risk Matrix

CVE# Product Component Protocol Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes Base Score Attack Vector Attack Complex Privs Req'd User Interact Scope Confid­entiality Inte­grity Avail­ability CVE-2016-4436 MySQL Enterprise Monitor Monitor: General (Apache Struts 2) HTTP over TLS Yes 9.8 Network Low None None Un- changed High High High 3.1.5.7958 and earlier, 3.2.5.1141 and earlier, 3.3.2.1162 and earlier, CVE-2017-5651 MySQL Enterprise Monitor Monitoring: Server (Apache Tomcat) HTTP over TLS Yes 9.8 Network Low None None Un- changed High High High 3.2.7.1204 and earlier, 3.3.3.1199 and earlier CVE-2017-5647 MySQL Enterprise Monitor Monitoring: Server (Apache Tomcat) HTTP over TLS Yes 7.5 Network Low None None Un- changed High None None 3.3.3.1199 and earlier CVE-2017-3633 MySQL Server Server: Memcached Memcached Yes 6.5 Network High None None Un- changed None Low High 5.6.36 and earlier, 5.7.18 and earlier CVE-2017-3634 MySQL Server Server: DML MySQL Protocol No 6.5 Network Low Low None Un- changed None None High 5.6.36 and earlier, 5.7.18 and earlier CVE-2017-3732 MySQL Connectors Connector/C (OpenSSL) MySQL Protocol Yes 5.9 Network High None None Un- changed High None None 6.1.9 and earlier CVE-2017-3732 MySQL Connectors Connector/ODBC (OpenSSL) MySQL Protocol Yes 5.9 Network High None None Un- changed High None None 5.3.7 and earlier CVE-2017-3732 MySQL Server Server: Security: Encryption (OpenSSL) MySQL Protocol Yes 5.9 Network High None None Un- changed High None None 5.6.35 and earlier, 5.7.17 and earlier CVE-2017-3635 MySQL Connectors Connector/C MySQL Protocol No 5.3 Network High Low None Un- changed None None High 6.1.10 and earlier See Note 1 CVE-2017-3635 MySQL Server C API MySQL Protocol No 5.3 Network High Low None Un- changed None None High 5.5.56 and earlier, 5.6.36 and earlier, 5.7.18 and earlier See Note 1 CVE-2017-3636 MySQL Server Client programs MySQL Protocol No 5.3 Local Low Low None Un- changed Low Low Low 5.5.56 and earlier, 5.6.36 and earlier CVE-2017-3529 MySQL Server Server: UDF MySQL Protocol No 5.3 Network High Low None Un- changed None None High 5.7.18 and earlier CVE-2017-3637 MySQL Server X Plugin X Protocol No 5.3 Network High Low None Un- changed None None High 5.7.18 and earlier CVE-2017-3639 MySQL Server Server: DML MySQL Protocol No 4.9 Network Low High None Un- changed None None High 5.7.18 and earlier CVE-2017-3640 MySQL Server Server: DML MySQL Protocol No 4.9 Network Low High None Un- changed None None High 5.7.18 and earlier CVE-2017-3641 MySQL Server Server: DML MySQL Protocol No 4.9 Network Low High None Un- changed None None High 5.5.56 and earlier, 5.6.36 and earlier, 5.7.18 and earlier CVE-2017-3643 MySQL Server Server: DML MySQL Protocol No 4.9 Network Low High None Un- changed None None High 5.7.18 and earlier CVE-2017-3644 MySQL Server Server: DML MySQL Protocol No 4.9 Network Low High None Un- changed None None High 5.7.18 and earlier CVE-2017-3638 MySQL Server Server: Optimizer MySQL Protocol No 4.9 Network Low High None Un- changed None None High 5.7.18 and earlier CVE-2017-3642 MySQL Server Server: Optimizer MySQL Protocol No 4.9 Network Low High None Un- changed None None High 5.7.18 and earlier CVE-2017-3645 MySQL Server Server: Optimizer MySQL Protocol No 4.9 Network Low High None Un- changed None None High 5.7.18 and earlier CVE-2017-3646 MySQL Server X Plugin X Protocol No 4.9 Network Low High None Un- changed None None High 5.7.16 and earlier CVE-2014-1912 MySQL Cluster CLSTCONF (Python) MySQL Protocol Yes 4.8 Network High None None Un- changed None Low Low 7.3.5 and earlier CVE-2017-3648 MySQL Server Server: Charsets MySQL Protocol No 4.4 Network High High None Un- changed None None High 5.5.56 and earlier, 5.6.36 and earlier, 5.7.18 and earlier CVE-2017-3647 MySQL Server Server: Replication MySQL Protocol No 4.4 Network High High None Un- changed None None High 5.6.36 and earlier, 5.7.18 and earlier CVE-2017-3649 MySQL Server Server: Replication MySQL Protocol No 4.4 Network High High None Un- changed None None High 5.6.36 and earlier, 5.7.18 and earlier CVE-2017-3651 MySQL Server Client mysqldump MySQL Protocol No 4.3 Network Low Low None Un- changed None Low None 5.5.56 and earlier, 5.6.36 and earlier, 5.7.18 and earlier CVE-2017-3652 MySQL Server Server: DDL MySQL Protocol No 4.2 Network High Low None Un- changed Low Low None 5.5.56 and earlier, 5.6.36 and earlier, 5.7.18 and earlier CVE-2017-3650 MySQL Server C API MySQL Protocol Yes 3.7 Network High None None Un- changed Low None None 5.7.18 and earlier CVE-2017-3653 MySQL Server Server: DDL MySQL Protocol No 3.1 Network High Low None Un- changed None Low None 5.5.56 and earlier, 5.6.36 and earlier, 5.7.18 and earlier

Notes:

The documentation has also been updated for the correct way to use mysql_stmt_close(). Please see:

https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-execute.html, https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-fetch.html, https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-close.html, https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-error.html, https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-errno.html, and https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-sqlstate.html

Additional CVEs addressed are below:

The fix for CVE-2016-4436 also addresses CVE-2016-4430, CVE-2016-4431, CVE-2016-4433, CVE-2016-4438, and CVE-2016-4465.

The fix for CVE-2017-3732 also addresses CVE-2016-7055, and CVE-2017-3731.

The fix for CVE-2017-5651 also addresses CVE-2017-5650.

Appendix - Oracle Support Tools

Oracle Support Tools Executive Summary

This Critical Patch Update contains 1 new security fix for Oracle Support Tools. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here .

Oracle Support Tools Risk Matrix