Appendix - Oracle Database ServerOracle Database Server Executive SummaryThis Critical Patch Update contains 5 new security fixes for the Oracle Database Server. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. None of these fixes are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here. Please note that the Oracle Critical Patch Update Advisory for January 2016 was updated post release to clarify that CVE-2015-4923 is applicable to client-only installations. Database customers are strongly advised to apply the patches released in CPUJan2016 or later to their client-only installations. Oracle Database Server Risk Matrix
| CVE# | Component | Protocol | Package and/or Privilege Required | Remote Exploit without Auth.? | CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes |
|---|
| Base Score | Access Vector | Access Complexity | Authen-
tication | Confiden-
tiality | Integrity | Avail-
ability |
|---|
| CVE-2016-3454 | Java VM | Multiple | None | Yes | 7.6 | Network | High | None | Complete | Complete | Complete | 11.2.0.4, 12.1.0.1, 12.1.0.2 | See Note 1 | | CVE-2016-0681 | Oracle OLAP | Oracle Net | Execute on DBMS_AW | No | 6.5 | Network | Low | Single | Partial+ | Partial+ | Partial+ | 11.2.0.4, 12.1.0.1, 12.1.0.2 | | CVE-2016-0677 | RDBMS Security | Kerberos | None | Yes | 5.0 | Network | Low | None | None | None | Partial+ | 12.1.0.1, 12.1.0.2 | | CVE-2016-0690 | RDBMS Security | Oracle Net | Create Session | No | 4.0 | Network | Low | Single | None | Partial | None | 11.2.0.4, 12.1.0.1, 12.1.0.2 | | CVE-2016-0691 | RDBMS Security | Oracle Net | Create Session | No | 4.0 | Network | Low | Single | None | Partial | None | 11.2.0.4, 12.1.0.1, 12.1.0.2 |
Notes: - The CVSS score is 7.6 only on Windows for Database versions prior to 12c. The CVSS is 5.1 (Confidentiality, Integrity and Availability is 'Partial+') for Database 12c on Windows and for all versions of Database on Linux, Unix and other platforms
Appendix - Oracle Fusion MiddlewareOracle Fusion Middleware Executive SummaryThis Critical Patch Update contains 22 new security fixes for Oracle Fusion Middleware. 21 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here. Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security fixes are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle recommends that customers apply the April 2016 Critical Patch Update to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update April 2016 Patch Availability Document for Oracle Products, My Oracle Support Note 2102148.1. Oracle Fusion Middleware Risk Matrix
| CVE# | Component | Protocol | Sub-
component | Remote Exploit without Auth.? | CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes |
|---|
| Base Score | Access Vector | Access Complexity | Authen-
tication | Confiden-
tiality | Integrity | Avail-
ability |
|---|
| CVE-2016-3455 | Oracle Outside In Technology | Multiple | Outside In Filters | Yes | 9.0 | Network | Low | None | Complete | Partial | Partial | 8.5.0, 8.5.1, 8.5.2 | See Note 1 | | CVE-2015-7182 | Oracle GlassFish Server | HTTPS | Security | Yes | 7.5 | Network | Low | None | Partial | Partial | Partial | 2.1.1 | | CVE-2015-7182 | Oracle OpenSSO | HTTPS | Web Agents | Yes | 7.5 | Network | Low | None | Partial | Partial | Partial | 3.0-0.7 | | CVE-2015-7182 | Oracle Traffic Director | HTTPS | Security | Yes | 7.5 | Network | Low | None | Partial | Partial | Partial | 11.1.1.7.0, 11.1.1.9.0 | | CVE-2015-3253 | Oracle WebCenter Sites | Multiple | Sites | Yes | 7.5 | Network | Low | None | Partial | Partial | Partial | 11.1.1.8.0, 12.2.1 | | CVE-2016-0638 | Oracle WebLogic Server | JMS | Java Messaging Service | Yes | 7.5 | Network | Low | None | Partial+ | Partial+ | Partial+ | 10.3.6, 12.1.2, 12.1.3, 12.2.1 | | CVE-2015-7182 | Oracle iPlanet Web Proxy Server | HTTPS | Security | Yes | 7.5 | Network | Low | None | Partial | Partial | Partial | 4.0 | | CVE-2015-7182 | Oracle iPlanet Web Server | HTTPS | Security | Yes | 7.5 | Network | Low | None | Partial | Partial | Partial | 7.0 | | CVE-2015-7547 | Oracle Exalogic Infrastructure | multiple | Base Image | Yes | 6.8 | Network | Medium | None | Partial | Partial | Partial | 1.0, 2.0 | | CVE-2016-0696 | Oracle WebLogic Server | HTTP | Console | Yes | 6.4 | Network | Low | None | Partial | Partial | None | 10.3.6 | | CVE-2016-0479 | Oracle Business Intelligence Enterprise Edition | HTTP | Analytics Scorecard | Yes | 5.8 | Network | Medium | None | Partial | Partial | None | 11.1.1.7.0, 11.1.1.9.0, 12.2.1.0.0 | | CVE-2015-3195 | Oracle API Gateway | HTTPS | OAG | Yes | 5.0 | Network | Low | None | None | None | Partial | 11.1.2.3.0, 11.1.2.4.0 | | CVE-2014-3576 | Oracle BI Publisher | Multiple | Security | Yes | 5.0 | Network | Low | None | None | None | Partial | 12.2.1.0.0 | | CVE-2015-3195 | Oracle Exalogic Infrastructure | HTTPS | Network Infra Framework | Yes | 5.0 | Network | Low | None | None | None | Partial | 1.0, 2.0 | | CVE-2015-3197 | Oracle Exalogic Infrastructure | HTTPS | Base Image | Yes | 4.3 | Network | Medium | None | Partial+ | None | None | 1.0, 2.0 | | CVE-2015-3197 | Oracle Tuxedo | HTTPS | Open SSL | Yes | 4.3 | Network | Medium | None | Partial | None | None | 12.1.1.0 | | CVE-2016-0675 | Oracle WebLogic Server | HTTP | Console | Yes | 4.3 | Network | Medium | None | None | Partial | None | 10.3.6, 12.1.2, 12.1.3 | | CVE-2016-0700 | Oracle WebLogic Server | HTTP | Console | Yes | 4.3 | Network | Medium | None | None | Partial | None | 10.3.6, 12.1.2, 12.1.3 | | CVE-2016-3416 | Oracle WebLogic Server | HTTP | Console | Yes | 4.3 | Network | Medium | None | None | Partial | None | 10.3.6, 12.1.2, 12.1.3, 12.2.1 | | CVE-2016-0468 | Oracle Business Intelligence Enterprise Edition | HTTP | Analytics Web General | No | 3.5 | Network | Medium | Single | None | Partial | None | 11.1.1.7.0, 11.1.1.9.0, 12.2.1.0.0 | | CVE-2016-0671 | Oracle HTTP Server | HTTPS | OSSL Module | Yes | 2.6 | Network | High | None | Partial | None | None | 12.1.2.0 | | CVE-2016-0688 | Oracle WebLogic Server | HTTP | Core Components | Yes | 2.6 | Network | High | None | None | Partial | None | 10.3.6, 12.1.2, 12.1.3 |
Notes: Diablo 3 patch download blizzard. If you are logging in from a European or Asian client, you will need to wait for this patch to release in that region before it can be installed. - Outside In Technology is a suite of software development kits (SDKs). It does not have any particular associated protocol. The score here assumes that the hosting software passes data received over the network to Outside In Technology code. In any other cases, the scores could be lower than this.
Additional CVEs addressed: - CVE-2015-7182 fix also addresses CVE-2015-2721, CVE-2015-4000, CVE-2015-7181, CVE-2015-7183, CVE-2015-7575.
Appendix - Oracle Enterprise Manager Grid ControlOracle Enterprise Manager Grid Control Executive SummaryThis Critical Patch Update contains 2 new security fixes for Oracle Enterprise Manager Grid Control. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. None of these fixes are applicable to client-only installations, i.e., installations that do not have Oracle Enterprise Manager Grid Control installed. The English text form of this Risk Matrix can be found here. Oracle Enterprise Manager products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle Enterprise Manager products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle Enterprise Manager risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle Enterprise Manager products, Oracle recommends that customers apply the April 2016 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Enterprise Manager. For information on what patches need to be applied to your environments, refer to Critical Patch Update April 2016 Patch Availability Document for Oracle Products, My Oracle Support Note 2102148.1. Oracle Enterprise Manager Grid Control Risk Matrix
| CVE# | Component | Protocol | Sub-
component | Remote Exploit without Auth.? | CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes |
|---|
| Base Score | Access Vector | Access Complexity | Authen-
tication | Confiden-
tiality | Integrity | Avail-
ability |
|---|
| CVE-2015-7501 | Oracle Application Testing Suite | HTTPS | Install | No | 8.5 | Network | Medium | Single | Complete | Complete | Complete | 12.4.0.2, 12.5.0.2 | | CVE-2015-3197 | OSS Support Tools Oracle Explorer | HTTPS | Binaries | Yes | 4.3 | Network | Medium | None | Partial | None | None | 8.11.16.3.8 |
Appendix - Oracle ApplicationsOracle E-Business Suite Executive SummaryThis Critical Patch Update contains 7 new security fixes for the Oracle E-Business Suite. 6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here. Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle recommends that customers apply the April 2016 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Releases 11i and 12 Critical Patch Update Knowledge Document (April 2016), My Oracle Support Note 2113110.1. Oracle E-Business Suite Risk Matrix
| CVE# | Component | Protocol | Sub-
component | Remote Exploit without Auth.? | CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes |
|---|
| Base Score | Access Vector | Access Complexity | Authen-
tication | Confiden-
tiality | Integrity | Avail-
ability |
|---|
| CVE-2016-3466 | Oracle Field Service | HTTP | Wireless | Yes | 6.4 | Network | Low | None | Partial+ | Partial+ | None | 12.1.1, 12.1.2, 12.1.3 | | CVE-2016-3434 | Oracle Application Object Library | HTTP | Logout | Yes | 4.3 | Network | Medium | None | None | Partial | None | 12.1.3, 12.2.3, 12.2.4, 12.2.5 | | CVE-2016-3439 | Oracle CRM Wireless | HTTP | Call Phone Number Page | Yes | 4.3 | Network | Medium | None | None | Partial | None | 12.1.3 | | CVE-2016-3437 | Oracle CRM Wireless | HTTP | Person Address Page | Yes | 4.3 | Network | Medium | None | None | Partial | None | 12.1.3 | | CVE-2016-3436 | Oracle Common Applications Calendar | HTTP | Tasks | Yes | 4.3 | Network | Medium | None | None | Partial | None | 12.1.1, 12.1.2, 12.1.3 | | CVE-2016-0697 | Oracle Application Object Library | Oracle Net | DB Privileges | No | 3.6 | Network | High | Single | Partial+ | Partial+ | None | 12.1.3, 12.2.3, 12.2.4, 12.2.5 | | CVE-2016-3447 | Oracle Applications Framework | HTTP | OAF Core | Yes | 2.6 | Network | High | None | None | Partial | None | 12.1.3, 12.2.3, 12.2.4, 12.2.5 |
Oracle Supply Chain Products Suite Executive SummaryThis Critical Patch Update contains 6 new security fixes for the Oracle Supply Chain Products Suite. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here. Oracle Supply Chain Products Suite Risk Matrix
| CVE# | Component | Protocol | Sub-
component | Remote Exploit without Auth.? | CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes |
|---|
| Base Score | Access Vector | Access Complexity | Authen-
tication | Confiden-
tiality | Integrity | Avail-
ability |
|---|
| CVE-2016-3438 | Oracle Configurator | HTTP | JRAD Heartbeat | Yes | 6.4 | Network | Low | None | Partial | Partial | None | 12.1, 12.2 | | CVE-2015-3195 | Oracle Transportation Management | HTTPS | Install | Yes | 5.0 | Network | Low | None | None | None | Partial | 6.1, 6.2 | | CVE-2016-3456 | Oracle Complex Maintenance, Repair, and Overhaul | HTTP | Dialog Box | Yes | 4.3 | Network | Medium | None | None | Partial | None | 12.1.1, 12.1.2, 12.1.3 | | CVE-2016-3420 | Oracle Agile PLM | HTTP | Security | No | 3.6 | Network | High | Single | Partial | Partial | None | 9.3.1.1, 9.3.1.2, 9.3.2, 9.3.3 | | CVE-2016-3431 | Oracle Agile PLM | HTTP | Security | No | 3.6 | Network | High | Single | Partial | Partial | None | 9.3.1.1, 9.3.1.2, 9.3.2, 9.3.3 | | CVE-2016-3428 | Oracle Agile Engineering Data Management | ECI (Proprietary EDM Protocol) | Engineering Communication Interface | No | 1.8 | Adjacent Network | High | None | None | None | Partial | 6.1.3.0, 6.2.0.0 |
Oracle PeopleSoft Products Executive SummaryThis Critical Patch Update contains 15 new security fixes for Oracle PeopleSoft Products. 6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here. Oracle PeopleSoft Products Risk Matrix
| CVE# | Component | Protocol | Sub-
component | Remote Exploit without Auth.? | CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes |
|---|
| Base Score | Access Vector | Access Complexity | Authen-
tication | Confiden-
tiality | Integrity | Avail-
ability |
|---|
| CVE-2016-3421 | PeopleSoft Enterprise PeopleTools | HTTP | Activity Guide | No | 6.5 | Network | Low | Single | Partial | Partial | Partial | 8.53, 8.54, 8.55 | | CVE-2016-3460 | PeopleSoft Enterprise HCM | HTTP | ePerformance | No | 5.5 | Network | Low | Single | Partial | Partial | None | 9.2 | | CVE-2016-3457 | PeopleSoft Enterprise HCM ePerformance | HTTP | Security | No | 5.5 | Network | Low | Single | Partial | Partial | None | 9.2 | | CVE-2016-0685 | PeopleSoft Enterprise PeopleTools | HTTP | File Processing | No | 5.5 | Network | Low | Single | Partial | Partial | None | 8.53, 8.54, 8.55 | | CVE-2016-0679 | PeopleSoft Enterprise PeopleTools | HTTP | PIA Grids | No | 5.5 | Network | Low | Single | None | Partial+ | Partial+ | 8.53, 8, 54, 8.55 | | CVE-2016-0680 | PeopleSoft Enterprise SCM | HTTP | Services Procurement | No | 5.5 | Network | Low | Single | Partial | Partial | None | 9.1, 9.2 | | CVE-2016-3435 | PeopleSoft Enterprise PeopleTools | HTTP | PIA Core Technology | Yes | 5.0 | Network | Low | None | None | None | Partial | 8.53, 8.54, 8.55 | | CVE-2016-0408 | PeopleSoft Enterprise PeopleTools | HTTP | Activity Guide | Yes | 4.3 | Network | Medium | None | None | Partial | None | 8.53, 8.54, 8.55 | | CVE-2016-3417 | PeopleSoft Enterprise PeopleTools | HTTP | PIA Search Functionality | Yes | 4.3 | Network | Medium | None | None | Partial | None | 8.53, 8.54, 8.55 | | CVE-2016-3442 | PeopleSoft Enterprise PeopleTools | HTTP | Portal | Yes | 4.3 | Network | Medium | None | None | Partial | None | 8.53, 8.54, 8.55 | | CVE-2016-0698 | PeopleSoft Enterprise PeopleTools | HTTP | Rich Text Editor | Yes | 4.3 | Network | Medium | None | None | Partial | None | 8.53, 8.54, 8.55 | | CVE-2015-3197 | PeopleSoft Enterprise PeopleTools | HTTPS | Security | Yes | 4.3 | Network | Medium | None | Partial | None | None | 8.53, 8.54, 8.55 | | CVE-2016-0407 | PeopleSoft Enterprise HCM | HTTP | Fusion HR Talent Integration | No | 4.0 | Network | Low | Single | Partial | None | None | 9.1, 9.2 | | CVE-2016-0683 | PeopleSoft Enterprise PeopleTools | HTTP | Search Framework | No | 4.0 | Network | Low | Single | None | Partial | None | 8.53, 8.54, 8.55 | | CVE-2016-3423 | PeopleSoft Enterprise PeopleTools | HTTP | Rich Text Editor | No | 3.5 | Network | Medium | Single | None | Partial | None | 8.53, 8.54, 8.55 |
Additional CVEs addressed: - CVE-2015-3197 fix also addresses CVE-2015-3195.
Oracle JD Edwards Products Executive SummaryThis Critical Patch Update contains 1 new security fix for Oracle JD Edwards Products. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here. Oracle JD Edwards Products Risk Matrix
| CVE# | Component | Protocol | Sub-
component | Remote Exploit without Auth.? | CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes |
|---|
| Base Score | Access Vector | Access Complexity | Authen-
tication | Confiden-
tiality | Integrity | Avail-
ability |
|---|
| CVE-2015-1793 | JD Edwards EnterpriseOne Tools | HTTP | OneWorld Tools Security | Yes | 6.4 | Network | Low | None | Partial | Partial | None | 9.1, 9.2 |
Oracle Siebel CRM Executive SummaryThis Critical Patch Update contains 2 new security fixes for Oracle Siebel CRM. Neither of these vulnerabilities may be remotely exploitable without authentication, i.e., neither may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here. Oracle Siebel CRM Risk Matrix
| CVE# | Component | Protocol | Sub-
component | Remote Exploit without Auth.? | CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes |
|---|
| Base Score | Access Vector | Access Complexity | Authen-
tication | Confiden-
tiality | Integrity | Avail-
ability |
|---|
| CVE-2016-0673 | Siebel UI Framework | HTTP | UIF Open UI | No | 5.5 | Network | Low | Single | Partial | Partial | None | 8.1.1, 8.2.2 | | CVE-2016-0674 | Siebel Core - Common Components | HTTP | Email | No | 3.2 | Local | Low | Single | Partial | Partial | None | 8.1.1, 8.2.2 |
Appendix - Oracle Industry ApplicationsOracle Communications Applications Executive SummaryThis Critical Patch Update contains 1 new security fix for Oracle Communications Applications. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here. Can anybody give idea about this course and study materials for the same. SAP Professionals, I want to know about C_TSCM62_60 SAP Course for Certification. Cisco cda patch download. Is there any other function for this? Oracle Communications Applications Risk Matrix
| CVE# | Component | Protocol | Sub-
component | Remote Exploit without Auth.? | CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes |
|---|
| Base Score | Access Vector | Access Complexity | Authen-
tication | Confiden-
tiality | Integrity | Avail-
ability |
|---|
| CVE-2014-2532 | Oracle Communications User Data Repository | OpenSSH | Security | No | 4.9 | Network | Medium | Single | Partial | Partial | None | 10.0.1 |
Oracle Retail Applications Executive SummaryThis Critical Patch Update contains 3 new security fixes for Oracle Retail Applications. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here. Oracle Retail Applications Risk Matrix
| CVE# | Component | Protocol | Sub-
component | Remote Exploit without Auth.? | CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes |
|---|
| Base Score | Access Vector | Access Complexity | Authen-
tication | Confiden-
tiality | Integrity | Avail-
ability |
|---|
| CVE-2016-0684 | Oracle Retail MICROS ARS POS | Oracle Net | POS | No | 6.8 | Network | Low | Single | Complete | None | None | 1.5 | | CVE-2016-3429 | Oracle Retail Xstore Point of Service | HTTP | Xstore Services | No | 5.4 | Local | Medium | None | Complete | Partial | None | 5.0, 5.5, 6.0, 6.5, 7.0, 7.1 | | CVE-2016-0469 | Oracle Retail MICROS C2 | HTTPS | POS | No | 4.6 | Local | Low | Single | Complete | None | None | 9.89.0.0 |
Oracle Health Sciences Applications Executive SummaryThis Critical Patch Update contains 1 new security fix for Oracle Health Sciences Applications. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here. Oracle Health Sciences Applications Risk Matrix
| CVE# | Component | Protocol | Sub-
component | Remote Exploit without Auth.? | CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes |
|---|
| Base Score | Access Vector | Access Complexity | Authen-
tication | Confiden-
tiality | Integrity | Avail-
ability |
|---|
| CVE-2015-3195 | Oracle Life Sciences Data Hub | HTTPS | Open SSL | Yes | 5.0 | Network | Low | None | None | None | Partial | 2.1 |
Appendix - Oracle Financial Services SoftwareOracle Financial Services Software Executive SummaryThis Critical Patch Update contains 4 new security fixes for Oracle Financial Services Software. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here. Oracle Financial Services Software Risk Matrix
| CVE# | Component | Protocol | Sub-
component | Remote Exploit without Auth.? | CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes |
|---|
| Base Score | Access Vector | Access Complexity | Authen-
tication | Confiden-
tiality | Integrity | Avail-
ability |
|---|
| CVE-2016-0699 | Oracle FLEXCUBE Direct Banking | HTTP | Login | Yes | 9.4 | Network | Low | None | Complete | Complete | None | 12.0.2, 12.0.3 | | CVE-2016-0672 | Oracle FLEXCUBE Direct Banking | HTTP | Pre-Login | Yes | 5.0 | Network | Low | None | Partial | None | None | 12.0.2, 12.0.3 | | CVE-2016-3463 | Oracle FLEXCUBE Direct Banking | HTTP | Pre-Login | Yes | 5.0 | Network | Low | None | Partial | None | None | 12.0.3 | | CVE-2016-3464 | Oracle FLEXCUBE Direct Banking | HTTP | Accounts | No | 4.0 | Network | Low | Single | Partial | None | None | 12.0.3 |
Appendix - Oracle Java SEOracle Java SE Executive SummaryThis Critical Patch Update contains 9 new security fixes for Oracle Java SE. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
The CVSS scores below assume that a user running a Java applet or Java Web Start application has administrator privileges (typical on Windows). When the user does not run with administrator privileges (typical on Solaris and Linux), the corresponding CVSS impact scores for Confidentiality, Integrity, and Availability are 'Partial' instead of 'Complete', lowering the CVSS Base Score. For example, a Base Score of 10.0 becomes 7.5.
Users should only use the default Java Plug-in and Java Web Start from the latest JDK or JRE 7 and 8 releases.
Oracle Java SE Risk Matrix
| CVE# | Component | Protocol | Sub-
component | Remote Exploit without Auth.? | CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes |
|---|
| Base Score | Access Vector | Access Complexity | Authen-
tication | Confiden-
tiality | Integrity | Avail-
ability |
|---|
| CVE-2016-3443 | Java SE | Multiple | 2D | Yes | 10.0 | Network | Low | None | Complete | Complete | Complete | Java SE: 6u113, 7u99, 8u77 | See Note 1 | | CVE-2016-0687 | Java SE, Java SE Embedded | Multiple | Hotspot | Yes | 10.0 | Network | Low | None | Complete | Complete | Complete | Java SE: 6u113, 7u99, 8u77; Java SE Embedded: 8u77 | See Note 1 | | CVE-2016-0686 | Java SE, Java SE Embedded | Multiple | Serialization | Yes | 10.0 | Network | Low | None | Complete | Complete | Complete | Java SE: 6u113, 7u99, 8u77; Java SE Embedded: 8u77 | See Note 1 | | CVE-2016-3427 | Java SE, Java SE Embedded, JRockit | Multiple | JMX | Yes | 10.0 | Network | Low | None | Complete | Complete | Complete | Java SE: 6u113, 7u99, 8u77; Java SE Embedded: 8u77; JRockit: R28.3.9 | See Note 2 | | CVE-2016-3449 | Java SE | Multiple | Deployment | Yes | 7.6 | Network | High | None | Complete | Complete | Complete | Java SE: 6u113, 7u99, 8u77 | See Note 1 | | CVE-2016-3422 | Java SE | Multiple | 2D | Yes | 5.0 | Network | Low | None | None | None | Partial | Java SE: 6u113, 7u99, 8u77 | See Note 1 | | CVE-2016-3425 | Java SE, Java SE Embedded, JRockit | Multiple | JAXP | Yes | 5.0 | Network | Low | None | None | None | Partial | Java SE: 6u113, 7u99, 8u77; Java SE Embedded: 8u77; JRockit: R28.3.9 | See Note 2 | | CVE-2016-3426 | Java SE, Java SE Embedded | Multiple | JCE | Yes | 4.3 | Network | Medium | None | Partial | None | None | Java SE: 8u77; Java SE Embedded: 8u77 | See Note 1 | | CVE-2016-0695 | Java SE, Java SE Embedded, JRockit | Multiple | Security | Yes | 2.6 | Network | High | None | Partial | None | None | Java SE: 6u113, 7u99, 8u77; Java SE Embedded: 8u77; JRockit: R28.3.9 | See Note 3 |
Notes: - This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
- Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.
- Applies to client and server deployment of JSSE.
Appendix - Oracle Sun Systems Products SuiteOracle Sun Systems Products Suite Executive SummaryThis Critical Patch Update contains 18 new security fixes for the Oracle Sun Systems Products Suite. 12 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here. Oracle Sun Systems Products Suite Risk Matrix
| CVE# | Component | Protocol | Sub-
component | Remote Exploit without Auth.? | CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes |
|---|
| Base Score | Access Vector | Access Complexity | Authen-
tication | Confiden-
tiality | Integrity | Avail-
ability |
|---|
| CVE-2016-0693 | Solaris | Multiple | PAM LDAP module | Yes | 10.0 | Network | Low | None | Complete | Complete | Complete | 10, 11.3 | | CVE-2013-4786 | Fujitsu M10-1, M10-4, M10-4S Servers | IPMI | XCP Firmware | Yes | 7.8 | Network | Low | None | Complete | None | None | XCP prior to XCP2290 | | CVE-2016-3441 | Solaris | None | Filesystem | No | 7.2 | Local | Low | None | Complete | Complete | Complete | 10, 11.3 | | CVE-2015-7547 | Fujitsu M10-1, M10-4, M10-4S Servers | Multiple | XCP Firmware | Yes | 6.8 | Network | Medium | None | Partial | Partial | Partial | XCP prior to XCP2290 | | CVE-2015-1793 | Oracle Ethernet Switch ES2-72, Oracle Ethernet Switch ES2-64 | HTTPS | Firmware | Yes | 6.4 | Network | Low | None | Partial | Partial | None | Versions prior to 2.0.0.6 | | CVE-2015-3238 | SPARC Enterprise M3000, M4000, M5000, M8000, M9000 Servers | Multiple | XCP Firmware | Yes | 5.8 | Network | Medium | None | Partial | None | Partial | XCP prior to XCP 1121 | | CVE-2016-0669 | Solaris | None | Fwflash | No | 5.2 | Local | Low | Single | None | Partial | Complete | 11.3 | | CVE-2015-7236 | Solaris | RPC | Utilities | Yes | 5.0 | Network | Low | None | None | None | Partial | 10, 11.3 | | CVE-2011-4461 | Sun Storage Common Array Manager | HTTP | Jetty Web Server | Yes | 5.0 | Network | Low | None | None | None | Partial | 6.9.0 | | CVE-2016-3462 | Solaris | None | Network Configuration Service | No | 4.9 | Local | Low | None | None | None | Complete | 11.3 | | CVE-2016-3465 | Solaris | None | ZFS | No | 4.9 | Local | Low | None | None | None | Complete | 10, 11.3 | | CVE-2013-2566 | SPARC Enterprise M3000, M4000, M5000, M8000, M9000 Servers | HTTPS | XCP Firmware | Yes | 4.3 | Network | Medium | None | Partial | None | None | XCP prior to XCP 1121 | | CVE-2015-4000 | SPARC Enterprise M3000, M4000, M5000, M8000, M9000 Servers | HTTPS | XCP Firmware | Yes | 4.3 | Network | Medium | None | None | Partial | None | XCP prior to XCP 1121 | | CVE-2015-1789 | SPARC Enterprise M3000, M4000, M5000, M8000, M9000 Servers | HTTPS | XCP Firmware | Yes | 4.3 | Network | Medium | None | None | None | Partial | XCP prior to XCP 1121 | | CVE-2016-0623 | Solaris | Multiple | Automated Installer | Yes | 4.3 | Network | Medium | None | None | Partial | None | 11.3 | | CVE-2014-3566 | Solaris Cluster | HTTPS | GlassFish Server | Yes | 4.3 | Network | Medium | None | Partial | None | None | 4.2 | | CVE-2016-0676 | Solaris | None | Kernel | No | 4.0 | Local | High | None | None | None | Complete | 10 | | CVE-2016-3419 | Solaris | None | Filesystem | No | 2.1 | Local | Low | None | None | None | Partial+ | 10, 11.3 |
Additional CVEs addressed: - CVE-2013-2566 fix also addresses CVE-2015-2808.
- CVE-2015-1789 fix also addresses CVE-2015-1790.
Appendix - Oracle Linux and VirtualizationOracle Virtualization Executive SummaryThis Critical Patch Update contains 4 new security fixes for Oracle Virtualization. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here. Oracle Virtualization Risk Matrix
| CVE# | Component | Protocol | Sub-
component | Remote Exploit without Auth.? | CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes |
|---|
| Base Score | Access Vector | Access Complexity | Authen-
tication | Confiden-
tiality | Integrity | Avail-
ability |
|---|
| CVE-2015-3195 | Oracle VM VirtualBox | HTTPS | Core | Yes | 5.0 | Network | Low | None | None | None | Partial | VirtualBox prior to 4.3.36, prior to 5.0.14 | | CVE-2015-3195 | Sun Ray Software | HTTPS | Sun Ray Server Software | Yes | 5.0 | Network | Low | None | None | None | Partial | 11.1 | | CVE-2015-3197 | Oracle VM VirtualBox | HTTPS | Core | Yes | 4.3 | Network | Medium | None | Partial | None | None | VirtualBox prior to 5.0.16 | | CVE-2016-0678 | Oracle VM VirtualBox | None | Core | No | 4.1 | Local | Medium | Single | Partial+ | Partial+ | Partial+ | VirtualBox prior to 5.0.18 |
Additional CVEs addressed: - CVE-2015-3195 fix also addresses CVE-2015-1794, CVE-2015-3193, CVE-2015-3194, CVE-2015-3196.
Appendix - Oracle MySQLOracle MySQL Executive SummaryThis Critical Patch Update contains 31 new security fixes for Oracle MySQL. 4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here. Oracle MySQL Risk Matrix
| CVE# | Component | Protocol | Sub-
component | Remote Exploit without Auth.? | CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes |
|---|
| Base Score | Access Vector | Access Complexity | Authen-
tication | Confiden-
tiality | Integrity | Avail-
ability |
|---|
| CVE-2016-0705 | MySQL Server | MySQL Protocol | Server: Packaging | Yes | 10.0 | Network | Low | None | Complete | Complete | Complete | 5.6.29 and earlier, 5.7.11 and earlier | | CVE-2016-0639 | MySQL Server | MySQL Protocol | Server: Pluggable Authentication | Yes | 10.0 | Network | Low | None | Complete | Complete | Complete | 5.6.29 and earlier, 5.7.11 and earlier | | CVE-2015-3194 | MySQL Server | MySQL Protocol | Server: Security: Encryption | Yes | 5.0 | Network | Low | None | None | None | Partial+ | 5.6.28 and earlier, 5.7.10 and earlier | | CVE-2016-0640 | MySQL Server | MySQL Protocol | Server: DML | No | 4.9 | Network | Medium | Single | None | Partial | Partial+ | 5.5.47 and earlier, 5.6.28 and earlier, 5.7.10 and earlier | | CVE-2016-0641 | MySQL Server | MySQL Protocol | Server: MyISAM | No | 4.9 | Network | Medium | Single | Partial | None | Partial+ | 5.5.47 and earlier, 5.6.28 and earlier, 5.7.10 and earlier | | CVE-2016-3461 | MySQL Enterprise Monitor | Multiple | Monitoring: Server | No | 4.3 | Network | High | Multiple | Partial+ | Partial+ | Partial+ | 3.0.25 and earlier, 3.1.2 and earlier | | CVE-2016-2047 | MySQL Server | MySQL Protocol | Server: Connection Handling | Yes | 4.3 | Network | Medium | None | None | Partial | None | 5.5.48 and earlier, 5.6.29 and earlier, 5.7.11 and earlier | | CVE-2016-0642 | MySQL Server | MySQL Protocol | Server: Federated | No | 4.3 | Network | Medium | Multiple | None | Partial | Partial+ | 5.5.48 and earlier, 5.6.29 and earlier, 5.7.11 and earlier | | CVE-2016-0643 | MySQL Server | MySQL Protocl | Server: DML | No | 4.0 | Network | Low | Single | Partial | None | None | 5.5.48 and earlier, 5.6.29 and earlier, 5.7.11 and earlier | | CVE-2016-0644 | MySQL Server | MySQL Protocol | Server: DDL | No | 4.0 | Network | Low | Single | None | None | Partial+ | 5.5.47 and earlier, 5.6.28 and earlier, 5.7.10 and earlier | | CVE-2016-0646 | MySQL Server | MySQL Protocol | Server: DML | No | 4.0 | Network | Low | Single | None | None | Partial+ | 5.5.47 and earlier, 5.6.28 and earlier, 5.7.10 and earlier | | CVE-2016-0647 | MySQL Server | MySQL Protocol | Server: FTS | No | 4.0 | Network | Low | Single | None | None | Partial+ | 5.5.48 and earlier, 5.6.29 and earlier, 5.7.11 and earlier | | CVE-2016-0648 | MySQL Server | MySQL Protocol | Server: PS | No | 4.0 | Network | Low | Single | None | None | Partial+ | 5.5.48 and earlier, 5.6.29 and earlier, 5.7.11 and earlier | | CVE-2016-0649 | MySQL Server | MySQL Protocol | Server: PS | No | 4.0 | Network | Low | Single | None | None | Partial+ | 5.5.47 and earlier, 5.6.28 and earlier, 5.7.10 and earlier | | CVE-2016-0650 | MySQL Server | MySQL Protocol | Server: Replication | No | 4.0 | Network | Low | Single | None | None | Partial+ | 5.5.47 and earlier, 5.6.28 and earlier, 5.7.10 and earlier | | CVE-2016-0652 | MySQL Server | MySQL Protocol | Server: DML | No | 3.5 | Network | Medium | Single | None | None | Partial+ | 5.7.10 and earlier | | CVE-2016-0653 | MySQL Server | MySQL Protocol | Server: FTS | No | 3.5 | Network | Medium | Single | None | None | Partial+ | 5.7.10 and earlier | | CVE-2016-0654 | MySQL Server | MySQL Protocol | Server: InnoDB | No | 3.5 | Network | Medium | Single | None | None | Partial+ | 5.7.10 and earlier | | CVE-2016-0655 | MySQL Server | MySQL Protocol | Server: InnoDB | No | 3.5 | Network | Medium | Single | None | None | Partial+ | 5.6.29 and earlier, 5.7.11 and earlier | | CVE-2016-0656 | MySQL Server | MySQL Protocol | Server: InnoDB | No | 3.5 | Network | Medium | Single | None | None | Partial+ | 5.7.10 and earlier | | CVE-2016-0657 | MySQL Server | MySQL Protocol | Server: JSON | No | 3.5 | Network | Medium | Single | Partial | None | None | 5.7.11 and earlier | | CVE-2016-0658 | MySQL Server | MySQL Protocol | Server: Optimizer | No | 3.5 | Network | Medium | Single | None | None | Partial+ | 5.7.10 and earlier | | CVE-2016-0651 | MySQL Server | MySQL Protocol | Server: Optimizer | No | 3.5 | Network | Medium | Single | None | None | Partial+ | 5.5.46 and earlier | | CVE-2016-0659 | MySQL Server | MySQL Protocol | Server: Optimizer | No | 3.5 | Network | Medium | Single | None | None | Partial+ | 5.7.11 and earlier | | CVE-2016-0661 | MySQL Server | MySQL Protocol | Server: Options | No | 3.5 | Network | Medium | Single | None | None | Partial+ | 5.6.28 and earlier, 5.7.10 and earlier | | CVE-2016-0662 | MySQL Server | MySQL Protocol | Server: Partition | No | 3.5 | Network | Medium | Single | None | None | Partial+ | 5.7.11 and earlier | | CVE-2016-0663 | MySQL Server | MySQL Protocol | Server: Performance Schema | No | 3.5 | Network | Medium | Single | None | None | Partial+ | 5.7.10 and earlier | | CVE-2016-0665 | MySQL Server | MySQL Protocol | Server: Security: Encryption | No | 3.5 | Network | Medium | Single | None | None | Partial+ | 5.6.28 and earlier 5.7.10 and earlier | | CVE-2016-0666 | MySQL Server | MySQL Protocol | Server: Security: Privileges | No | 3.5 | Network | Medium | Single | None | None | Partial+ | 5.5.48 and earlier, 5.6.29 and earlier, 5.7.11 and earlier | | CVE-2016-0667 | MySQL Server | MySQL Protocol | Server: Locking | No | 2.8 | Network | Medium | Multiple | None | None | Partial+ | 5.7.11 and earlier | | CVE-2016-0668 | MySQL Server | MySQL Protocol | Server: InnoDB | No | 1.7 | Network | High | Multiple | None | None | Partial+ | 5.6.28 and earlier 5.7.10 and earlier |
Additional CVEs addressed: - CVE-2015-3194 fix also addresses CVE-2015-3195.
- CVE-2016-0705 fix also addresses CVE-2015-3197, CVE-2016-0702, CVE-2016-0797, CVE-2016-0798, CVE-2016-0799, CVE-2016-0800.
Appendix - Oracle Berkeley DBOracle Berkeley DB Executive SummaryThis Critical Patch Update contains 5 new security fixes for Oracle Berkeley DB. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here. Oracle Berkeley DB Risk Matrix
| CVE# | Component | Protocol | Package and/or Privilege Required | Remote Exploit without Auth.? | CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes |
|---|
| Base Score | Access Vector | Access Complexity | Authen-
tication | Confiden-
tiality | Integrity | Avail-
ability |
|---|
| CVE-2016-0682 | DataStore | None | None | No | 6.9 | Local | Medium | None | Complete | Complete | Complete | 11.2.5.0.32, 11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35, 12.1.6.1.26 | | CVE-2016-0689 | DataStore | None | None | No | 6.9 | Local | Medium | None | Complete | Complete | Complete | 11.2.5.0.32, 11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35, 12.1.6.1.26 | | CVE-2016-0692 | DataStore | None | None | No | 6.9 | Local | Medium | None | Complete | Complete | Complete | 11.2.5.0.32, 11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35, 12.1.6.1.26 | | CVE-2016-0694 | DataStore | None | None | No | 6.9 | Local | Medium | None | Complete | Complete | Complete | 11.2.5.0.32, 11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35, 12.1.6.1.26 | | CVE-2016-3418 | DataStore | None | None | No | 6.9 | Local | Medium | None | Complete | Complete | Complete | 11.2.5.0.32, 11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35, 12.1.6.1.26 |
|
