This issue is caused by having virtual network devices, usually installed by virtual machines.
React Native chooses the first available network IP which may not be the correct one. To fix this issue you have to find your local IP address, by entering the Command Prompt and typing:
ipconfig
or
ipconfig /all If you are on WiFi, look for the WiFi section, and note down your IPv4 Address
If you
are on Ethernet, look for the Ethernet Adapter section, and note down your IPv4 Address For Example: Once you have your local IP address,
navigate to your project folder inside Command Prompt.
Inside your project folder run the command. set REACT_NATIVE_PACKAGER_HOSTNAME=my-custom-ip-address
Replace my-custom-ip-address with your IPv4 Address you noted down earlier. For example: Then run npm start
Scan your QRCode through the Expo app and it should be working. - Click to view our Accessibility Policy
- Skip to content
DescriptionA Critical Patch Update is a collection of patches for multiple
security vulnerabilities. These patches address vulnerabilities in Oracle code and in third-party components included in Oracle products. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update Advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security patches. Refer to
“Critical Patch Updates, Security Alerts and Bulletins” for information about Oracle Security advisories. Starting with the October 2020 Critical Patch Update, Oracle lists updates that address vulnerabilities in third-party components which are not exploitable in the context of their inclusion in their respective Oracle product beneath the product's risk matrix. Oracle has published two versions of the October 2020
Critical Patch Update Advisory: this version of the advisory implemented the change in how non-exploitable vulnerabilities in third-party components are reported, and the “traditional” advisory follows the same format as the previous advisories. The “traditional” advisory is published at https://www.oracle.com/security-alerts/cpuoct2020traditional.html. Oracle continues to
periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay. This Critical Patch Update contains 403 new
security patches across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at October 2020 Critical Patch Update: Executive Summary and Analysis. Security vulnerabilities addressed by this Critical Patch Update affect the
products listed below. The product area is shown in the Patch Availability Document column. Please click on the links in the Patch Availability Document column below to access the documentation for patch availability information and installation instructions.
| Affected Products and Versions | Patch Availability Document |
|---|
| Application Performance Management (APM), versions 13.3.0.0, 13.4.0.0
| Enterprise Manager
| | Big Data Spatial and Graph, versions prior to 3.0
| Database
| | Enterprise Manager Base Platform, versions 13.2.1.0, 13.3.0.0, 13.4.0.0
| Enterprise Manager
| | Enterprise Manager for Peoplesoft, version 13.4.1.1
| Enterprise Manager
| | Enterprise Manager for Storage Management, versions 13.3.0.0, 13.4.0.0
| Enterprise Manager
| | Enterprise Manager Ops Center, version 12.4.0.0
| Enterprise Manager
| | Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers, versions prior to XCP2362, prior to XCP3090
| Systems
| | Fujitsu M12-1, M12-2, M12-2S Servers, versions prior to XCP3090
| Systems
| | Hyperion Analytic Provider Services, version 11.1.2.4
| Fusion Middleware
| | Hyperion BI+, version 11.1.2.4
| Fusion Middleware
| | Hyperion Essbase, version 11.1.2.4
| Fusion Middleware
| | Hyperion Infrastructure Technology, version 11.1.2.4
| Fusion Middleware
| | Hyperion Lifecycle Management, version 11.1.2.4
| Fusion Middleware
| | Hyperion Planning, version 11.1.2.4
| Fusion Middleware
| | Identity Manager Connector, version 9.0
| Fusion Middleware
| | Instantis EnterpriseTrack, versions 17.1, 17.2, 17.3
| Oracle Construction and Engineering Suite
| | Management Pack for Oracle GoldenGate, version 12.2.1.2.0
| Fusion Middleware
| | MySQL Cluster, versions 7.3.30 and prior, 7.4.29 and prior, 7.5.19 and prior, 7.6.15 and prior, 8.0.21 and prior
| MySQL
| | MySQL Enterprise Monitor, versions 8.0.21 and prior
| MySQL
| | MySQL Server, versions 5.6.49 and prior, 5.7.31 and prior, 8.0.21 and prior
| MySQL
| | MySQL Workbench, versions 8.0.21 and prior
| MySQL
| | Oracle Access Manager, version 11.1.2.3.0
| Fusion Middleware
| | Oracle Agile PLM, versions 9.3.3, 9.3.5, 9.3.6
| Oracle Supply Chain Products
| | Oracle Agile Product Lifecycle Management for Process, version 6.2.0.0
| Oracle Supply Chain Products
| | Oracle Application Express, versions prior to 20.2
| Database
| | Oracle Application Testing Suite, version 13.3.0.1
| Enterprise Manager
| | Oracle Banking Corporate Lending, versions 12.3.0, 14.0.0-14.4.0
| Oracle Financial Services Applications
| | Oracle Banking Digital Experience, versions 18.1, 18.2, 18.3, 19.1, 19.2, 20.1
| Oracle Financial Services Applications
| | Oracle Banking Payments, versions 14.1.0-14.4.0
| Oracle Financial Services Applications
| | Oracle Banking Platform, versions 2.4.0-2.10.0
| Oracle Banking Platform
| | Oracle BI Publisher, versions 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
| Fusion Middleware
| | Oracle Business Intelligence Enterprise Edition, versions 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
| Fusion Middleware
| | Oracle Business Process Management Suite, versions 12.2.1.3.0, 12.2.1.4.0
| Fusion Middleware
| | Oracle Communications Application Session Controller, versions 3.8m0, 3.9m0p1
| Oracle Communications Application Session Controller
| | Oracle Communications Billing and Revenue Management, versions 7.5.0.23.0, 12.0.0.2.0, 12.0.0.3.0
| Oracle Communications Billing and Revenue Management
| | Oracle Communications BRM - Elastic Charging Engine, versions 11.3.0.9.0, 12.0.0.3.0
| Oracle Communications BRM - Elastic Charging Engine
| | Oracle Communications Diameter Signaling Router (DSR), versions 8.0.0.0-8.4.0.5, [IDIH] 8.0.0-8.2.2
| Oracle Communications Diameter Signaling Router
| | Oracle Communications EAGLE Software, versions 46.6.0-46.8.2
| Oracle Communications EAGLE
| | Oracle Communications Element Manager, versions 8.2.0-8.2.2
| Oracle Communications Element Manager
| | Oracle Communications Evolved Communications Application Server, version 7.1
| Oracle Communications Evolved Communications Application Server
| | Oracle Communications Messaging Server, version 8.1
| Oracle Communications Messaging Server
| | Oracle Communications Offline Mediation Controller, version 12.0.0.3.0
| Oracle Communications Offline Mediation Controller
| | Oracle Communications Services Gatekeeper, version 7
| Oracle Communications Services Gatekeeper
| | Oracle Communications Session Border Controller, versions 8.2-8.4
| Oracle Communications Session Border Controller
| | Oracle Communications Session Report Manager, versions 8.2.0-8.2.2
| Oracle Communications Session Report Manager
| | Oracle Communications Session Route Manager, versions 8.2.0-8.2.2
| Oracle Communications Session Route Manager
| | Oracle Communications Unified Inventory Management, versions 7.3.0, 7.4.0
| Oracle Communications Unified Inventory Management
| | Oracle Communications WebRTC Session Controller, version 7.2
| Oracle Communications WebRTC Session Controller
| | Oracle Data Integrator, versions 11.1.1.9.0, 12.2.1.3.0
| Fusion Middleware
| | Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
| Database
| | Oracle E-Business Suite, versions 12.1.1-12.1.3, 12.2.3-12.2.10
| E-Business Suite
| | Oracle Endeca Information Discovery Integrator, version 3.2.0
| Fusion Middleware
| | Oracle Endeca Information Discovery Studio, version 3.2.0
| Fusion Middleware
| | Oracle Enterprise Repository, version 11.1.1.7.0
| Fusion Middleware
| | Oracle Enterprise Session Border Controller, version 8.4
| Oracle Enterprise Session Border Controller
| | Oracle Financial Services Analytical Applications Infrastructure, versions 8.0.6-8.1.0
| Oracle Financial Services Analytical Applications Infrastructure
| | Oracle Financial Services Analytical Applications Reconciliation Framework, versions 8.0.6-8.0.8, 8.1.0
| Oracle Financial Services Analytical Applications Reconciliation Framework
| | Oracle Financial Services Asset Liability Management, versions 8.0.6, 8.0.7, 8.1.0
| Oracle Financial Services Asset Liability Management
| | Oracle Financial Services Balance Sheet Planning, version 8.0.8
| Oracle Financial Services Balance Sheet Planning
| | Oracle Financial Services Basel Regulatory Capital Basic, versions 8.0.6-8.0.8, 8.1.0
| Oracle Financial Services Basel Regulatory Capital Basic
| | Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach, versions 8.0.6-8.0.8, 8.1.0
| Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach
| | Oracle Financial Services Data Foundation, versions 8.0.6-8.1.0
| Oracle Financial Services Data Foundation
| | Oracle Financial Services Data Governance for US Regulatory Reporting, versions 8.0.6-8.0.9
| Oracle Financial Services Data Governance for US Regulatory Reporting
| | Oracle Financial Services Data Integration Hub, versions 8.0.6, 8.0.7, 8.1.0
| Oracle Financial Services Data Integration Hub
| | Oracle Financial Services Funds Transfer Pricing, versions 8.0.6, 8.0.7, 8.1.0
| Oracle Financial Services Funds Transfer Pricing
| | Oracle Financial Services Hedge Management and IFRS Valuations, versions 8.0.6-8.0.8, 8.1.0
| Oracle Financial Services Hedge Management and IFRS Valuations
| | Oracle Financial Services Institutional Performance Analytics, versions 8.0.6, 8.0.7, 8.1.0, 8.7.0
| Oracle Financial Services Institutional Performance Analytics
| | Oracle Financial Services Liquidity Risk Management, version 8.0.6
| Oracle Financial Services Liquidity Risk Management
| | Oracle Financial Services Liquidity Risk Measurement and Management, versions 8.0.7, 8.0.8, 8.1.0
| Oracle Financial Services Liquidity Risk Measurement and Management
| | Oracle Financial Services Loan Loss Forecasting and Provisioning, versions 8.0.6-8.0.8, 8.1.0
| Oracle Financial Services Loan Loss Forecasting and Provisioning
| | Oracle Financial Services Market Risk Measurement and Management, versions 8.0.6, 8.0.8, 8.1.0
| Oracle Financial Services Market Risk Measurement and Management
| | Oracle Financial Services Price Creation and Discovery, versions 8.0.6, 8.0.7
| Oracle Financial Services Price Creation And Discovery
| | Oracle Financial Services Profitability Management, versions 8.0.6, 8.0.7, 8.1.0
| Oracle Financial Services Profitability Management
| | Oracle Financial Services Regulatory Reporting for European Banking Authority, versions 8.0.6-8.1.0
| Oracle Financial Services Regulatory Reporting for European Banking Authority
| | Oracle Financial Services Regulatory Reporting for US Federal Reserve, versions 8.0.6-8.0.9
| Oracle Financial Services Regulatory Reporting for US Federal Reserve
| | Oracle Financial Services Regulatory Reporting with AgileREPORTER, version 8.0.9.2.0
| Oracle Financial Services Regulatory Reporting with AgileREPORTER
| | Oracle Financial Services Retail Customer Analytics, version 8.0.6
| Oracle Financial Services Retail Customer Analytics
| | Oracle FLEXCUBE Core Banking, versions 5.2.0, 11.5.0-11.7.0
| Oracle Financial Services Applications
| | Oracle FLEXCUBE Direct Banking, versions 12.0.1, 12.0.2, 12.0.3
| Oracle Financial Services Applications
| | Oracle FLEXCUBE Private Banking, versions 12.0.0, 12.1.0
| Oracle Financial Services Applications
| | Oracle FLEXCUBE Universal Banking, versions 12.3.0, 14.0.0-14.4.0
| Oracle Financial Services Applications
| | Oracle GoldenGate Application Adapters, versions 12.3.2.1.0, 19.1.0.0.0
| Fusion Middleware
| | Oracle GraalVM Enterprise Edition, versions 19.3.3, 20.2.0
| Oracle GraalVM Enterprise Edition
| | Oracle Health Sciences Empirica Signal, version 9.0
| Health Sciences
| | Oracle Healthcare Data Repository, version 7.0.1
| Health Sciences
| | Oracle Healthcare Foundation, versions 7.1.1, 7.2.0, 7.2.1, 7.3.0
| Health Sciences
| | Oracle Hospitality Guest Access, versions 4.2.0, 4.2.1
| Oracle Hospitality Guest Access
| | Oracle Hospitality Materials Control, version 18.1
| Oracle Hospitality Materials Control
| | Oracle Hospitality OPERA 5 Property Services, versions 5.5, 5.6
| Oracle Hospitality OPERA 5 Property Services
| | Oracle Hospitality Reporting and Analytics, version 9.1.0
| Oracle Hospitality Reporting and Analytics
| | Oracle Hospitality RES 3700, version 5.7
| Oracle Hospitality RES
| | Oracle Hospitality Simphony, versions 18.1, 18.2, 19.1.0-19.1.2
| Oracle Hospitality Simphony
| | Oracle Hospitality Suite8, versions 8.10.2, 8.11-8.14
| Oracle Hospitality Suite8
| | Oracle HTTP Server, versions 12.2.1.3.0, 12.2.1.4.0
| Fusion Middleware
| | Oracle Insurance Accounting Analyzer, version 8.0.9
| Oracle Insurance Accounting Analyzer
| | Oracle Insurance Allocation Manager for Enterprise Profitability, versions 8.0.8, 8.1.0
| Oracle Insurance Allocation Manager for Enterprise Profitability
| | Oracle Insurance Data Foundation, versions 8.0.6-8.1.0
| Oracle Insurance Data Foundation
| | Oracle Insurance Insbridge Rating and Underwriting, versions 5.0.0.0-5.6.0.0, 5.6.1.0
| Oracle Insurance Applications
| | Oracle Insurance Policy Administration J2EE, versions 10.2.0.37, 10.2.4.12, 11.0.2.25, 11.1.0.15, 11.2.0.26, 11.2.2.0
| Oracle Insurance Applications
| | Oracle Insurance Rules Palette, versions 10.2.0.37, 10.2.4.12, 11.0.2.25, 11.1.0.15, 11.2.0.26
| Oracle Insurance Applications
| | Oracle Java SE, versions 7u271, 8u261, 11.0.8, 15
| Java SE
| | Oracle Java SE Embedded, version 8u261
| Java SE
| | Oracle JDeveloper, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
| Fusion Middleware
| | Oracle Managed File Transfer, versions 12.2.1.3.0, 12.2.1.4.0
| Fusion Middleware
| | Oracle Outside In Technology, versions 8.5.4, 8.5.5
| Fusion Middleware
| | Oracle Policy Automation, versions 12.2.0-12.2.20
| Oracle Policy Automation
| | Oracle Policy Automation Connector for Siebel, version 10.4.6
| Oracle Policy Automation
| | Oracle Policy Automation for Mobile Devices, versions 12.2.0-12.2.20
| Oracle Policy Automation
| | Oracle REST Data Services, versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c, [Standalone ORDS] prior to 20.2.1
| Database
| | Oracle Retail Advanced Inventory Planning, version 14.1
| Retail Applications
| | Oracle Retail Assortment Planning, versions 15.0.3.0, 16.0.3.0
| Retail Applications
| | Oracle Retail Back Office, versions 14.0, 14.1
| Retail Applications
| | Oracle Retail Bulk Data Integration, versions 15.0.3.0, 16.0.3.0
| Retail Applications
| | Oracle Retail Central Office, versions 14.0, 14.1
| Retail Applications
| | Oracle Retail Customer Management and Segmentation Foundation, versions 18.0, 19.0
| Retail Applications
| | Oracle Retail Integration Bus, versions 14.1, 15.0, 16.0
| Retail Applications
| | Oracle Retail Order Broker, versions 15.0, 16.0, 18.0, 19.0, 19.1, 19.2, 19.3
| Retail Applications
| | Oracle Retail Point-of-Service, versions 14.0, 14.1
| Retail Applications
| | Oracle Retail Predictive Application Server, versions 14.1.3.0, 15.0.3.0, 16.0.3.0
| Retail Applications
| | Oracle Retail Price Management, versions 14.0.4, 14.1.3.0, 15.0.3.0, 16.0.3.0
| Retail Applications
| | Oracle Retail Returns Management, versions 14.0, 14.1
| Retail Applications
| | Oracle Retail Service Backbone, versions 14.1, 15.0, 16.0
| Retail Applications
| | Oracle Retail Xstore Point of Service, versions 15.0.3, 16.0.5, 17.0.3, 18.0.2, 19.0.1
| Retail Applications
| | Oracle Solaris, versions 10, 11
| Systems
| | Oracle TimesTen In-Memory Database, versions prior to 11.2.2.8.49, prior to 18.1.3.1.0, prior to 18.1.4.1.0
| Database
| | Oracle Transportation Management, version 6.3.7
| Oracle Supply Chain Products
| | Oracle Utilities Framework, versions 2.2.0.0.0, 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0-4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0
| Oracle Utilities Applications
| | Oracle VM VirtualBox, versions prior to 6.1.16
| Virtualization
| | Oracle WebCenter Portal, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
| Fusion Middleware
| | Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
| Fusion Middleware
| | Oracle ZFS Storage Appliance Kit, version 8.8
| Systems
| | PeopleSoft Enterprise HCM Global Payroll Core, version 9.2
| PeopleSoft
| | PeopleSoft Enterprise PeopleTools, versions 8.56, 8.57, 8.58
| PeopleSoft
| | PeopleSoft Enterprise SCM eSupplier Connection, version 9.2
| PeopleSoft
| | Primavera Gateway, versions 16.2.0-16.2.11, 17.12.0-17.12.8
| Oracle Construction and Engineering Suite
| | Primavera Unifier, versions 16.1, 16.2, 17.7-17.12, 18.8, 19.12
| Oracle Construction and Engineering Suite
| | Siebel Applications, versions 20.7, 20.8
| Siebel
|
Note:- Vulnerabilities affecting either Oracle Database or Oracle Fusion Middleware may affect Oracle Fusion Applications, so Oracle customers should refer to Oracle Fusion Applications Critical Patch Update Knowledge Document, My Oracle Support Note 1967316.1 for information on patches to be applied to Fusion Application environments.
- Vulnerabilities affecting
Oracle Solaris may affect Oracle ZFSSA so Oracle customers should refer to the Oracle and Sun Systems Product Suite Critical Patch Update Knowledge Document, My Oracle Support Note 2160904.1 for information on minimum revisions of security patches required to resolve ZFSSA issues published in Critical Patch Updates and Solaris Third Party bulletins.
- Solaris Third Party Bulletins are used to announce
security patches for third party software distributed with Oracle Solaris. Solaris 10 customers should refer to the latest patch-sets which contain critical security fixes and detailed in Systems Patch Availability Document. Please see Reference Index of CVE IDs and Solaris Patches (My Oracle Support Note 1448883.1) for more information.
- Users running Java SE with a browser can download the latest release
from https://java.com. Users on the Windows and Mac OS X platforms can also use automatic updates to get the latest release.
Risk Matrix ContentRisk matrices list only security vulnerabilities that are newly addressed by the patches associated with this advisory. Risk matrices for previous security patches can be found in
previous Critical Patch Update advisories and Alerts. An English text version of the risk matrices provided in this document is here. Several vulnerabilities addressed in this Critical Patch Update affect multiple products. Each vulnerability is identified by a CVE# which is its
unique identifier. A vulnerability that affects multiple products will appear with the same CVE# in all risk matrices. A CVE# shown in italics indicates that this vulnerability impacts a different product, but also has impact on the product where the italicized CVE# is listed. Security vulnerabilities are scored using CVSS version 3.1 (see Oracle CVSS Scoring for an explanation of how
Oracle applies CVSS version 3.1). Oracle conducts an analysis of each security vulnerability addressed by a Critical Patch Update. Oracle does not disclose detailed information about this security analysis to customers, but the resulting Risk Matrix and associated documentation provide information about the type of vulnerability, the conditions required to exploit it, and the potential impact of a successful exploit. Oracle provides this information, in part, so that customers may conduct
their own risk analysis based on the particulars of their product usage. For more information, see Oracle vulnerability disclosure policies. The protocol in the risk matrix implies that all of its secure variants (if applicable) are affected as well. For example, if HTTP is listed as an affected protocol, it implies that HTTPS (if applicable) is also affected. The secure variant of a
protocol is listed in the risk matrix only if it is the only variant affected, e.g. HTTPS will typically be listed for vulnerabilities in SSL and TLS. WorkaroundsDue to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update security patches as soon as possible. Until you apply the Critical Patch Update patches, it may be possible to reduce the risk of successful attack by blocking network protocols
required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem. Skipped
Critical Patch UpdatesOracle strongly recommends that customers apply security patches as soon as possible. For customers that have skipped one or more Critical Patch Updates and are concerned about products that do not have security patches announced in this Critical Patch Update, please review previous Critical Patch Update advisories to determine appropriate actions. Critical Patch Update Supported Products
and VersionsPatches released through the Critical Patch Update program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. Oracle recommends that customers plan product upgrades to ensure that patches released through the Critical Patch Update program are available for the versions they
are currently running. Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Critical Patch Update. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions. Database, Fusion Middleware, and Oracle Enterprise Manager products are patched in accordance with the Software
Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support. Credit StatementThe following people or organizations reported security vulnerabilities addressed by
this Critical Patch Update to Oracle: - 0rich2 Ant Security FG Lab: CVE-2020-14841
- Aaron Carreras of FireEye: CVE-2020-14871
- Abdulrahman Nour of Redforce: CVE-2020-14823
- Ahmed Elhady Mohamed of Ahmed Mohamed: CVE-2020-14768
- Akshay Gaikwad: CVE-2020-14762
- Alessandro Bosco of TIM S.p.A: CVE-2020-14842, CVE-2020-14843
- Alexander Kornbrust of Red Database Security: CVE-2020-14742, CVE-2020-14901
- Alves Christopher of Telecom Nancy:
CVE-2020-14867
- Ammarit Thongthua of Secure D Center Cybersecurity Team: CVE-2020-14778
- Amy Tran: CVE-2020-14822, CVE-2020-14831, CVE-2020-14833, CVE-2020-14834, CVE-2020-14849, CVE-2020-14850, CVE-2020-14851, CVE-2020-14856, CVE-2020-14857
- Andrej Simko of Accenture: CVE-2020-14774, CVE-2020-14808
- Anonymous researcher working with Trend Micro's Zero Day Initiative: CVE-2020-14841, CVE-2020-14881, CVE-2020-14884, CVE-2020-14885, CVE-2020-14886
- Bui Duong from
Viettel Cyber Security: CVE-2020-14879, CVE-2020-14880
- Chi Tran: CVE-2020-14822, CVE-2020-14831, CVE-2020-14833, CVE-2020-14834, CVE-2020-14849, CVE-2020-14850, CVE-2020-14851, CVE-2020-14856, CVE-2020-14857
- codeplutos of AntGroup FG Security Lab: CVE-2020-14825
- Damian Bury: CVE-2020-14767, CVE-2020-14770
- Darragh Duffy: CVE-2020-14744
- Eddie Zhu of Beijing DBSEC Technology Co., Ltd: CVE-2020-14741
- Edoardo Predieri of TIM S.p.A: CVE-2020-14842,
CVE-2020-14843
- Fabio Minarelli of TIM S.p.A: CVE-2020-14842, CVE-2020-14843
- Filip Ceglik: CVE-2020-14772
- Francesco Russo of TIM S.p.A: CVE-2020-14842, CVE-2020-14843
- François Goichon of Google: CVE-2020-14735
- Gaoning Pan of Zhejiang University & Ant Security Light-Year Lab: CVE-2020-14872, CVE-2020-14892
- Graham Rymer of University Information Services, University of Cambridge: CVE-2020-14840
- Hangfan Zhang: CVE-2020-14828
- Ioannis
Charalambous of NCC Group: CVE-2020-14787, CVE-2020-14788
- Ivo Palazzolo of Daimler TSS: CVE-2020-14864
- Jacob Thompson of FireEye: CVE-2020-14871
- Jakub Palaczynski: CVE-2020-14740, CVE-2020-14752
- Jakub Plusczok: CVE-2020-14854
- Jeffrey Martin of Rapid7: CVE-2020-14871
- Joe Almeida of Globlue Technologies: CVE-2020-14815
- Julien Zhan of Telecom Nancy: CVE-2020-14867
- Khuyen Nguyen of secgit.com: CVE-2020-14816, CVE-2020-14817,
CVE-2020-14819, CVE-2020-14835
- Kritsada Sunthornwutthikrai of Secure D Center Cybersecurity Team: CVE-2020-14778
- Kylinking of NSFocus Security Team: CVE-2020-14841
- Larry W. Cashdollar: CVE-2020-14758, CVE-2020-14759
- Le Xuan Tuyen - VNPT ISC working with Trend Micro Zero Day Initiative: CVE-2020-14841, CVE-2020-14859
- Long Nguyễn Hữu Vũ: CVE-2020-14863
- Longofo of Knownsec 404 Team: CVE-2020-14841
- Luca Di Giuseppe of TIM S.p.A: CVE-2020-14842,
CVE-2020-14843
- Markus Loewe: CVE-2020-14796, CVE-2020-14797, CVE-2020-14798
- Massimiliano Brolli of TIM S.p.A: CVE-2020-14842, CVE-2020-14843
- Mateusz Dabrowski: CVE-2020-14784
- Philippe Antoine of Telecom Nancy: CVE-2020-14867
- Piotr Madej of ING Tech Poland: CVE-2020-14740
- Preeyakorn Keadsai of Secure D Center Cybersecurity Team: CVE-2020-14778
- Quynh Le of VNPT ISC working with Trend Micro Zero Day Initiative: CVE-2020-14825
- r0 from
A-TEAM of Legendsec at Qi'anxin Group: CVE-2020-14841
- Roger Meyer: CVE-2020-14745
- Rui Zhong: CVE-2020-14828
- Sergey Ostanin: CVE-2020-14781
- Shiva Gupta of Shiva Hacker One: CVE-2020-14890, CVE-2020-14897
- Spyridon Chatzimichail of OTE Hellenic Telecommunications Organization S.A.: CVE-2020-14764
- Thai Nguyen of ECQ: CVE-2020-14826
- thiscodecc: CVE-2020-14825
- Tomasz Stachowicz: CVE-2020-14780
- Trung Le: CVE-2020-14822,
CVE-2020-14831, CVE-2020-14833, CVE-2020-14834, CVE-2020-14849, CVE-2020-14850, CVE-2020-14851, CVE-2020-14856, CVE-2020-14857
- Tuan Anh Nguyen of Viettel Cyber Security: CVE-2020-14855, CVE-2020-14862, CVE-2020-14875
- Tuan Anh Nguyen of Viettel Cyber Security working with Trend Micro Zero Day Initiative: CVE-2020-14876
- Ved Prabhu: CVE-2020-14762, CVE-2020-14763, CVE-2020-14898, CVE-2020-14899, CVE-2020-14900
- Venustech ADLab: CVE-2020-14820
- Viktor Gazdag of
NCC Group: CVE-2020-14787, CVE-2020-14788
- voidfyoo of Chaitin Security Research Lab: CVE-2020-14882, CVE-2020-14883
- Walid Faour: CVE-2020-14783
- Xingwei Lin of Ant Security Light-Year Lab: CVE-2020-14872, CVE-2020-14889, CVE-2020-14892
- Xinlei Ying of Ant Security Light-Year Lab: CVE-2020-14892
- Xu Yuanzhen of Alibaba Cloud Security Team: CVE-2020-14841
- Yaoguang Chen of Ant Security Light-Year Lab: CVE-2020-14828, CVE-2020-14861, CVE-2020-14893
- Yi Ren of Alibaba: CVE-2020-14790, CVE-2020-14828
- Yongheng Chen: CVE-2020-14828
- Yu Wang of BMH Security Team: CVE-2020-14841
- Yuyue Wang of Alibaba: CVE-2020-14828
- Zhiqiang Zang of University of Texas at Austin: CVE-2020-14792
- Zouhair Janatil-Idrissi of Telecom Nancy: CVE-2020-14867
Security-In-Depth ContributorsOracle acknowledges people who have contributed to our Security-In-Depth program (see
FAQ). People are acknowledged for Security-In-Depth contributions if they provide information, observations or suggestions pertaining to security vulnerability issues that result in significant modification of Oracle code or documentation in future releases, but are not of such a critical nature that they are distributed in Critical Patch Updates. In this Critical Patch Update, Oracle recognizes the following
for contributions to Oracle's Security-In-Depth program.: - Amy Tran [35 reports]
- Chi Tran [35 reports]
- David Wilkins
- Markus Loewe [2 reports]
- Mateusz Dabrowski
- Trung Le [35 reports]
On-Line Presence Security ContributorsOracle acknowledges people who have contributed to our On-Line Presence Security program (see FAQ). People are acknowledged for
contributions relating to Oracle's on-line presence if they provide information, observations or suggestions pertaining to security-related issues that result in significant modification to Oracle's on-line external-facing systems. For this quarter, Oracle recognizes the following for contributions to Oracle's On-Line Presence Security program: - Abdulrahman Ahmed [3 reports]
- Abhishek Morla
- Adam Willard [2 reports]
- Adam Willard of Raytheon Foreground
Security
- Adarsh VS Mannarakkal
- Ahmed Elmalky
- Ahmed Omer Morve
- Ai Ho (j3ssiejjj)
- Alex Munene
- Alisha Sheikh
- Anil Bhatt
- Anurag Kumar Rawat (A1C3VENOM)
- Ayan Saha
- Badal Sardhara
- Bindiya Sardhara
- Bui Dinh Bao aka 0xd0ff9 of Zalo Security Team (VNG Corp).
- Danny
- Dhiraj Mishra
- Funny Tech
- Gaurav Kumar
- Gourab Sadhukhan
- Harsh Mukeshbhai Joshi [2 reports]
- Himanshu
Phulwariya
- Karthick Selvaraj
- Kartik Sharma
- Kaustubh Kale
- Kirtan Patel
- Kryptos Logic - Threat Intelligence Platform
- Kunal Gambhir
- Magrabur Alam Sofily
- Mansouri Badis
- Marwan Ali Albahar [2 reports]
- Matthew Harlow of EthicalHacker 20
- Mayank Kumar
- Mayank Malik, Kartik Sharma
- Micah Van Deusen
- Omkar Ghaisas
- Osman Ahmed Hassan
- Pankaj Kumar Thakur from Nepal [3 reports]
- Pratish Bhansali
- Ria from iZOOlogic
- Riccardo Donini
- Rick Verdoes & Danny de Weille of HackDefense
- Robert Lee Dick [2 reports]
- Roger Meyer
- Ronak Nahar
- Rudi Andriano
- Ryan awsmhacks Preston
- Sai Prashanth Pulisetti
- Sameer Goyal
- Shahid Ahmed [2 reports]
- Shivang Trivedi [2 reports]
- Shubham Kalaria
- Shubham Maheshwari
- Sidney Omondi of Salaam Technology
- Siva Pathela
- Soumajit Mukherjee
- Sparsh Gupta
- Srikar V - exp1o1t9r
- Sumit Sah
- Supun Madubashana Halangoda
- Suresh Nadar
- Swapnil Maurya - "swapmaurya20"
- Syed Muhammad Asim [2 reports]
- Vaibhav Gaikwad of Knock Security Solutions
- Venkata Sateesh Netti (str4n63r)
- Walid Hossain
- Yassine Triki
- Yatin Sharma
Critical Patch Update ScheduleCritical Patch Updates are released on the Tuesday closest to
the 17th day of January, April, July and October. The next four dates are: - 19 January 2021
- 20 April 2021
- 20 July 2021
- 19 October 2021
References- Oracle Critical Patch Updates, Security Alerts and Bulletins
- Critical Patch Update - October 2020 Documentation Map
- Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions
- Risk Matrix Definitions
- Use of Common Vulnerability Scoring System (CVSS) by Oracle
- English text version of the risk matrices
- CVRF XML version of the risk matrices
- Map of CVE to Advisory/Alert
- Software Error Correction Support Policy
- Oracle Lifetime support Policy
- JEP 290 Reference Blocklist Filter
Modification History
| Date | Note |
|---|
| 2020-December-8
| Rev 6. Added a note for CVE-2020-14871.
| | 2020-November-16
| Rev 5. Updated Oracle ZFS Storage Appliance Kit row to include CVE-2020-14871.
| | 2020-October-29
| Rev 4. Added CVE-2018-2765.
| | 2020-October-27
| Rev 3. Credit statement update.
| | 2020-October-22
| Rev 2. Affected versions change for CVE-2020-14807, CVE-2020-14810 and credit statement update.
| | 2020-October-20
| Rev 1. Initial Release.
|
Oracle Database Products Risk MatricesThis Critical Patch Update contains 29 new security patches for Oracle Database Products divided as follows: - 19 new security patches for Oracle Database Products
- 1 new security patch for Oracle Big Data Graph
- 5 new security patches for Oracle REST Data Services
- 4 new security patches for Oracle TimesTen In-Memory Database
Oracle
Database Server Risk MatrixThis Critical Patch Update contains 19 new security patches plus additional third party patches noted below for Oracle Database Products. 5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 1 of these patches is applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed.
The English text form of this Risk Matrix can be found here.
| CVE# | Component | Package and/or Privilege Required | Protocol | Remote
Exploit
without
Auth.? | CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes |
|---|
Base
Score | Attack
Vector | Attack
Complex | Privs
Req'd | User
Interact | Scope | Confid-
entiality | Inte-
grity | Avail-
ability |
|---|
| CVE-2019-12900 | Core RDBMS (bzip2)
| DBA Level Account
| Oracle Net
| No
| 8.8
| Network
| Low
| Low
| None
| Un-
changed
| High
| High
| High
| 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
|
|
|---|
| CVE-2020-14735 | Scheduler
| Local Logon
| None
| No
| 8.8
| Local
| Low
| Low
| None
| Changed
| High
| High
| High
| 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
|
|
|---|
| CVE-2020-14734 | Oracle Text
| None
| Oracle Net
| Yes
| 8.1
| Network
| High
| None
| None
| Un-
changed
| High
| High
| High
| 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
|
|
|---|
| CVE-2018-2765 | Oracle SSL API
| None
| HTTPS
| Yes
| 7.5
| Network
| Low
| None
| None
| Un-
changed
| High
| None
| None
| 11.2.0.4, 12.1.0.2, 12.2.0.1
|
|
|---|
| CVE-2020-13935 | Workload Manager (Apache Tomcat)
| None
| HTTP
| Yes
| 7.5
| Network
| Low
| None
| None
| Un-
changed
| None
| None
| High
| 12.2.0.1, 18c, 19c
|
|
|---|
| CVE-2020-11023 | Oracle Application Express (jQuery)
| None
| HTTP
| Yes
| 6.1
| Network
| Low
| None
| Required
| Changed
| Low
| Low
| None
| Prior to 20.2
|
|
|---|
| CVE-2020-11023 | ORDS (jQuery)
| None
| HTTP
| Yes
| 6.1
| Network
| Low
| None
| Required
| Changed
| Low
| Low
| None
| 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
| See Note 1
|
|---|
| CVE-2020-14762 | Oracle Application Express
| SQL Workshop
| HTTP
| No
| 5.4
| Network
| Low
| Low
| Required
| Changed
| Low
| Low
| None
| Prior to 20.2
|
|
|---|
| CVE-2020-9281 | Oracle Application Express
| Valid User Account
| HTTP
| No
| 5.4
| Network
| Low
| Low
| Required
| Changed
| Low
| Low
| None
| Prior to 20.2
|
|
|---|
| CVE-2020-14899 | Oracle Application Express Data Reporter
| Valid User Account
| HTTP
| No
| 5.4
| Network
| Low
| Low
| Required
| Changed
| Low
| Low
| None
| Prior to 20.2
|
|
|---|
| CVE-2020-14900 | Oracle Application Express Group Calendar
| Valid User Account
| HTTP
| No
| 5.4
| Network
| Low
| Low
| Required
| Changed
| Low
| Low
| None
| Prior to 20.2
|
|
|---|
| CVE-2020-14898 | Oracle Application Express Packaged Apps
| Valid User Account
| HTTP
| No
| 5.4
| Network
| Low
| Low
| Required
| Changed
| Low
| Low
| None
| Prior to 20.2
|
|
|---|
| CVE-2020-14763 | Oracle Application Express Quick Poll
| Valid User Account
| HTTP
| No
| 5.4
| Network
| Low
| Low
| Required
| Changed
| Low
| Low
| None
| Prior to 20.2
|
|
|---|
| CVE-2020-14741 | Database Filesystem
| Resource, Create Table, Create View, Create Procedure, Dbfs_role
| Oracle Net
| No
| 4.9
| Network
| Low
| High
| None
| Un-
changed
| None
| None
| High
| 11.2.0.4, 12.1.0.2, 12.2.0.1
|
|
|---|
| CVE-2020-14901 | RDBMS Security
| Analyze Any
| Oracle Net
| No
| 4.9
| Network
| Low
| High
| None
| Un-
changed
| High
| None
| None
| 19c
|
|
|---|
| CVE-2020-14736 | Database Vault
| Create Public Synonym
| Oracle Net
| No
| 3.8
| Network
| Low
| High
| None
| Un-
changed
| Low
| Low
| None
| 11.2.0.4, 12.1.0.2, 12.2.0.1
|
|
|---|
| CVE-2020-14743 | Java VM
| Create Procedure
| Multiple
| No
| 3.1
| Network
| High
| Low
| None
| Un-
changed
| None
| Low
| None
| 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
|
|
|---|
| CVE-2020-14740 | SQL Developer Install
| Client Computer User Account
| Local Logon
| No
| 2.8
| Local
| Low
| Low
| Required
| Un-
changed
| Low
| None
| None
| 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c
|
|
|---|
| CVE-2020-14742 | Core RDBMS
| SYSDBA level account
| Oracle Net
| No
| 2.7
| Network
| Low
| High
| None
| Un-
changed
| None
| Low
| None
| 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
|
|
|---|
Notes:- Additional ORDS bugs are documented in the risk matrix "Oracle REST Data Services Risk Matrix"
Additional CVEs addressed are:- The patch for CVE-2019-12900 also addresses CVE-2016-3189
- The patch for CVE-2020-11023 also addresses CVE-2019-11358 and CVE-2020-11022
- The patch for CVE-2020-13935 also addresses CVE-2020-11996, CVE-2020-13934
and CVE-2020-9484
- The patch for CVE-2020-14734 also addresses CVE-2016-10244, CVE-2016-10328, CVE-2016-5300, CVE-2016-6153, CVE-2017-10989, CVE-2017-13685, CVE-2017-13745, CVE-2017-14232, CVE-2017-15286, CVE-2017-7857, CVE-2017-7858, CVE-2017-7864, CVE-2017-8105, CVE-2017-8287, CVE-2018-18873, CVE-2018-19139, CVE-2018-19539, CVE-2018-19540, CVE-2018-19541, CVE-2018-19542, CVE-2018-19543, CVE-2018-20346, CVE-2018-20505, CVE-2018-20506, CVE-2018-20570, CVE-2018-20584, CVE-2018-20622,
CVE-2018-20843, CVE-2018-6942, CVE-2018-8740, CVE-2018-9055, CVE-2018-9154, CVE-2018-9252, CVE-2019-15903, CVE-2019-16168, CVE-2019-5018, CVE-2019-8457, CVE-2019-9936 and CVE-2019-9937
Additional patches are included in this Critical Patch Update for the following non-exploitable CVEs in this Oracle product family:- Core RDBMS (LZ4): CVE-2019-17543
- Core RDBMS (Zstandard): CVE-2019-11922
- Oracle Database (Perl
Expat): CVE-2018-20843 and CVE-2019-15903
- Oracle Spatial and Graph (Apache Log4j): CVE-2020-9488
- Oracle Spatial and Graph (jackson-databind): CVE-2019-16943, CVE-2017-15095, CVE-2017-17485, CVE-2017-7525, CVE-2018-5968, CVE-2018-7489, CVE-2019-16942 and CVE-2019-17531
- Oracle Spatial and Graph MapViewer (jQuery): CVE-2020-11023, CVE-2019-11358 and CVE-2020-11022
- SQL Developer (Apache Batik): CVE-2018-8013 and CVE-2017-5662
- SQL Developer (Apache Log4j):
CVE-2017-5645
- SQL Developer (Apache POI): CVE-2017-12626, CVE-2016-5000, CVE-2017-5644 and CVE-2019-12415
- SQL Developer (jackson-databind): CVE-2018-7489, CVE-2017-15095, CVE-2017-17485, CVE-2018-1000873, CVE-2018-11307, CVE-2018-12022, CVE-2018-5968, CVE-2019-12086, CVE-2019-12384, CVE-2019-12814, CVE-2019-16335, CVE-2019-20330 and CVE-2020-8840
- SQL Developer (JCraft JSch): CVE-2016-5725
- SQL Developer Install (Bouncy Castle): CVE-2019-17359, CVE-2016-1000338,
CVE-2016-1000339, CVE-2016-1000340, CVE-2016-1000341, CVE-2016-1000342, CVE-2016-1000343, CVE-2016-1000344, CVE-2016-1000345, CVE-2016-1000346, CVE-2016-1000352, CVE-2017-13098, CVE-2018-1000180, CVE-2018-1000613 and CVE-2018-5382
Oracle Database Server Client-Only Installations- The following Oracle Database Server vulnerability included in this Critical Patch Update affects client-only installations: CVE-2020-14740.
Oracle Big Data Graph Risk MatrixThis Critical Patch Update contains 1 new security patch plus additional third party patches noted below for Oracle Big Data Graph. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found
here.
| CVE# | Product | Component | Protocol | Remote
Exploit
without
Auth.? | CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes |
|---|
Base
Score | Attack
Vector | Attack
Complex | Privs
Req'd | User
Interact | Scope | Confid-
entiality | Inte-
grity | Avail-
ability |
|---|
| CVE-2019-0192 | Big Data Spatial and Graph
| Property Graph Analytics (Apache Solr)
| HTTP
| Yes
| 9.8
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| High
| Prior to 3.0
|
|
|---|
Additional CVEs addressed are:- The patch for CVE-2019-0192 also addresses CVE-2017-3164
Additional patches are included in this Critical Patch Update for the following non-exploitable CVEs in this Oracle product family:- Big Data Spatial and Graph
- Property Graph Analytics (jQuery): CVE-2015-9251
- Property Graph Analytics
(jackson-databind): CVE-2020-9546, CVE-2015-9251, CVE-2017-5645, CVE-2018-12023, CVE-2018-14718, CVE-2018-7489, CVE-2019-10744, CVE-2019-12086, CVE-2019-14379, CVE-2019-16943, CVE-2020-10650, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-11619, CVE-2020-11620, CVE-2020-14195, CVE-2020-9547 and CVE-2020-9548
- Property Graph Analytics (lodash): CVE-2019-10744
- Property Graph Analytics (Apache Log4j):
CVE-2017-5645
Oracle REST Data Services Risk MatrixThis Critical Patch Update contains 5 new security patches plus additional third party patches noted below for Oracle REST Data Services. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found
here.
| CVE# | Product | Component | Protocol | Remote
Exploit
without
Auth.? | CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes |
|---|
Base
Score | Attack
Vector | Attack
Complex | Privs
Req'd | User
Interact | Scope | Confid-
entiality | Inte-
grity | Avail-
ability |
|---|
| CVE-2017-7658 | Oracle REST Data Services
| General (Eclipse Jetty)
| HTTP
| Yes
| 9.8
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| High
| 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c
|
|
|---|
| CVE-2016-1000031 | Oracle REST Data Services
| General (Apache Commons FileUpload)
| HTTP
| No
| 8.0
| Network
| Low
| Low
| Required
| Un-
changed
| High
| High
| High
| 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c
|
|
|---|
| CVE-2020-14744 | Oracle REST Data Services
| General
| HTTP
| No
| 6.5
| Network
| Low
| Low
| None
| Un-
changed
| High
| None
| None
| 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c; Standalone ORDS: prior to 20.2.1
|
|
|---|
| CVE-2020-11023 | Oracle REST Data Services
| General (jQuery)
| HTTP
| Yes
| 6.1
| Network
| Low
| None
| Required
| Changed
| Low
| Low
| None
| 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c; Standalone ORDS: prior to 20.2.1
|
|
|---|
| CVE-2020-14745 | Oracle REST Data Services
| General
| HTTP
| No
| 4.3
| Network
| Low
| Low
| None
| Un-
changed
| Low
| None
| None
| 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c; Standalone ORDS: prior to 20.2.1
|
|
|---|
Additional CVEs addressed are:- The patch for CVE-2017-7658 also addresses CVE-2016-4800, CVE-2017-7656, CVE-2017-7657, CVE-2017-9735, CVE-2018-12536, CVE-2018-12538, CVE-2018-12545, CVE-2019-10241, CVE-2019-10246, CVE-2019-10247 and CVE-2019-17632
- The patch for CVE-2020-11023 also addresses CVE-2019-11358 and CVE-2020-11022
Additional patches are included in this Critical Patch
Update for the following non-exploitable CVEs in this Oracle product family:- Oracle REST Data Services
- General (Apache Batik): CVE-2018-8013 and CVE-2017-5662
- General (jackson-databind): CVE-2019-16335, CVE-2019-12814, CVE-2019-14540, CVE-2019-14893, CVE-2019-17531, CVE-2019-20330, CVE-2020-11113, CVE-2020-11620 and CVE-2020-8840
Oracle TimesTen In-Memory Database Risk MatrixThis
Critical Patch Update contains 4 new security patches for Oracle TimesTen In-Memory Database. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
| CVE# | Product | Component | Protocol | Remote
Exploit
without
Auth.? | CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes |
|---|
Base
Score | Attack
Vector | Attack
Complex | Privs
Req'd | User
Interact | Scope | Confid-
entiality | Inte-
grity | Avail-
ability |
|---|
| CVE-2018-11058 | Oracle TimesTen In-Memory Database
| EM TimesTen plugin (RSA BSAFE Crypto-C)
| Multiple
| Yes
| 9.8
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| High
| Prior to 18.1.4.1.0
|
|
|---|
| CVE-2017-5645 | Oracle TimesTen In-Memory Database
| Install (Apache Log4j)
| Multiple
| Yes
| 9.8
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| High
| Prior to 11.2.2.8.49
|
|
|---|
| CVE-2019-1010239 | Oracle TimesTen In-Memory Database
| Install (Dave Gamble/cJSON)
| HTTP
| Yes
| 7.5
| Network
| Low
| None
| None
| Un-
changed
| None
| None
| High
| Prior to 18.1.3.1.0
|
|
|---|
| CVE-2019-0201 | Oracle TimesTen In-Memory Database
| Install (Apache ZooKeeper)
| ZAB
| Yes
| 5.9
| Network
| High
| None
| None
| Un-
changed
| High
| None
| None
| Prior to 18.1.3.1.0
|
|
|---|
Additional CVEs addressed are:- The patch for CVE-2017-5645 also addresses CVE-2020-1945
- The patch for CVE-2018-11058 also addresses CVE-2016-0701, CVE-2016-2183, CVE-2016-6306, CVE-2016-8610, CVE-2018-11054, CVE-2018-11055, CVE-2018-11056, CVE-2018-11057 and CVE-2018-15769
- The patch for CVE-2019-1010239 also addresses CVE-2019-11834 and CVE-2019-11835
Oracle
Communications Applications Risk MatrixThis Critical Patch Update contains 9 new security patches for Oracle Communications Applications. 8 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
| CVE# | Product | Component | Protocol | Remote
Exploit
without
Auth.? | CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes |
|---|
Base
Score | Attack
Vector | Attack
Complex | Privs
Req'd | User
Interact | Scope | Confid-
entiality | Inte-
grity | Avail-
ability |
|---|
| CVE-2019-10173 | Oracle Communications BRM - Elastic Charging Engine
| Diameter Gateway and SDK (xstream)
| HTTP
| Yes
| 9.8
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| High
| 11.3.0.9.0, 12.0.0.3.0
|
|
|---|
| CVE-2020-10683 | Oracle Communications Unified Inventory Management
| Core (dom4j)
| HTTP
| Yes
| 9.8
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| High
| 7.3.0, 7.4.0
|
|
|---|
| CVE-2019-10173 | Oracle Communications Unified Inventory Management
| Core (xstream)
| HTTP
| Yes
| 9.8
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| High
| 7.3.0, 7.4.0
|
|
|---|
| CVE-2020-10878 | Oracle Communications Billing and Revenue Management
| Core (Perl)
| TCP
| Yes
| 8.6
| Network
| Low
| None
| None
| Un-
changed
| Low
| Low
| High
| 12.0.0.2.0, 12.0.0.3.0
|
|
|---|
| CVE-2020-11022 | Oracle Communications Billing and Revenue Management
| Billing Operation Center and Oracle Communication Billing Care (jQuery)
| HTTP
| Yes
| 6.1
| Network
| Low
| None
| Required
| Changed
| Low
| Low
| None
| 7.5.0.23.0, 12.0.0.3.0
|
|
|---|
| CVE-2020-9489 | Oracle Communications Messaging Server
| Core (Apache Tika)
| None
| No
| 5.5
| Local
| Low
| None
| Required
| Un-
changed
| None
| None
| High
| 8.1
|
|
|---|
| CVE-2020-9488 | Oracle Communications Billing and Revenue Management
| Billing Operation Center and Oracle Communication Billing Care (Apache Log4j)
| SMTPS
| Yes
| 3.7
| Network
| High
| None
| None
| Un-
changed
| Low
| None
| None
| 7.5.0.23.0, 12.0.0.3.0
|
|
|---|
| CVE-2020-9488 | Oracle Communications Offline Mediation Controller
| Core (Apache Log4j)
| SMTPS
| Yes
| 3.7
| Network
| High
| None
| None
| Un-
changed
| Low
| None
| None
| 12.0.0.3.0
|
|
|---|
| CVE-2020-9488 | Oracle Communications Unified Inventory Management
| Core (Apache Log4j)
| SMTPS
| Yes
| 3.7
| Network
| High
| None
| None
| Un-
changed
| Low
| None
| None
| 7.3.0, 7.4.0
|
|
|---|
Additional CVEs addressed are:- The patch for CVE-2020-10878 also addresses CVE-2020-10543 and CVE-2020-12723
- The patch for CVE-2020-11022 also addresses CVE-2020-11023
Oracle Communications Risk MatrixThis Critical Patch Update contains 52 new security patches for Oracle Communications. 41 of these vulnerabilities may be remotely exploitable without
authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
| CVE# | Product | Component | Protocol | Remote
Exploit
without
Auth.? | CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes |
|---|
Base
Score | Attack
Vector | Attack
Complex | Privs
Req'd | User
Interact | Scope | Confid-
entiality | Inte-
grity | Avail-
ability |
|---|
| CVE-2020-10683 | Oracle Communications Application Session Controller
| WS and WEB (dom4j)
| Multiple
| Yes
| 9.8
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| High
| 3.9m0p1
|
|
|---|
| CVE-2020-11973 | Oracle Communications Diameter Signaling Router (DSR)
| IDIH (Apache Camel)
| HTTP
| Yes
| 9.8
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| High
| IDIH: 8.0.0-8.2.2
|
|
|---|
| CVE-2020-2555 | Oracle Communications Diameter Signaling Router (DSR)
| IDIH (Oracle Coherence)
| HTTP
| Yes
| 9.8
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| High
| IDIH: 8.0.0-8.2.2
|
|
|---|
| CVE-2020-10683 | Oracle Communications Diameter Signaling Router (DSR)
| IDIH (dom4j)
| HTTP
| Yes
| 9.8
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| High
| IDIH: 8.0.0-8.2.2
|
|
|---|
| CVE-2019-2904 | Oracle Communications Diameter Signaling Router (DSR)
| Platform (Application Development Framework)
| HTTP
| Yes
| 9.8
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| High
| 8.0.0.0-8.4.0.5
|
|
|---|
| CVE-2019-12260 | Oracle Communications EAGLE Software
| Network Stack (Wind River VxWorks)
| TCP
| Yes
| 9.8
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| High
| 46.6.0-46.8.2
|
|
|---|
| CVE-2020-11984 | Oracle Communications Element Manager
| Core (Apache HTTP Server)
| HTTP
| Yes
| 9.8
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| High
| 8.2.0-8.2.2
|
|
|---|
| CVE-2020-11984 | Oracle Communications Session Report Manager
| Core (Apache HTTP Server)
| HTTP
| Yes
| 9.8
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| High
| 8.2.0-8.2.2
|
|
|---|
| CVE-2020-11984 | Oracle Communications Session Route Manager
| Core (Apache HTTP Server)
| HTTP
| Yes
| 9.8
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| High
| 8.2.0-8.2.2
|
|
|---|
| CVE-2019-13990 | Oracle Communications Session Route Manager
| Core (Quartz Scheduler)
| HTTP
| Yes
| 9.8
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| High
| 8.2.0-8.2.2
|
|
|---|
| CVE-2019-17638 | Oracle Communications Application Session Controller
| WS and WEB (Eclipse Jetty)
| HTTP
| Yes
| 9.4
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| Low
| 3.9m0p1
|
|
|---|
| CVE-2019-17638 | Oracle Communications Element Manager
| Core (Eclipse Jetty)
| HTTP
| Yes
| 9.4
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| Low
| 8.2.0-8.2.2
|
|
|---|
| CVE-2019-17638 | Oracle Communications Session Report Manager
| Core (Eclipse Jetty)
| HTTP
| Yes
| 9.4
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| Low
| 8.2.0-8.2.2
|
|
|---|
| CVE-2019-17638 | Oracle Communications Session Route Manager
| Core (Eclipse Jetty)
| HTTP
| Yes
| 9.4
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| Low
| 8.2.0-8.2.2
|
|
|---|
| CVE-2020-14195 | Oracle Communications Diameter Signaling Router (DSR)
| IDIH (jackson-databind)
| HTTP
| Yes
| 8.1
| Network
| High
| None
| None
| Un-
changed
| High
| High
| High
| IDIH: 8.0.0-8.2.2
|
|
|---|
| CVE-2020-14195 | Oracle Communications Element Manager
| Core (jackson-databind)
| HTTP
| Yes
| 8.1
| Network
| High
| None
| None
| Un-
changed
| High
| High
| High
| 8.2.0-8.2.2
|
|
|---|
| CVE-2020-14195 | Oracle Communications Evolved Communications Application Server
| Universal Data Record (jackson-databind)
| XCAP
| Yes
| 8.1
| Network
| High
| None
| None
| Un-
changed
| High
| High
| High
| 7.1
|
|
|---|
| CVE-2020-14195 | Oracle Communications Session Report Manager
| Core (jackson-databind)
| HTTP
| Yes
| 8.1
| Network
| High
| None
| None
| Un-
changed
| High
| High
| High
| 8.2.0-8.2.2
|
|
|---|
| CVE-2020-14195 | Oracle Communications Session Route Manager
| Core (jackson-databind)
| HTTP
| Yes
| 8.1
| Network
| High
| None
| None
| Un-
changed
| High
| High
| High
| 8.2.0-8.2.2
|
|
|---|
| CVE-2020-5398 | Oracle Communications Diameter Signaling Router (DSR)
| IDIH (Spring Framework)
| HTTP
| Yes
| 7.5
| Network
| High
| None
| Required
| Un-
changed
| High
| High
| High
| IDIH: 8.0.0-8.2.2
|
|
|---|
| CVE-2019-17359 | Oracle Communications Diameter Signaling Router (DSR)
| IDIH (Bouncy Castle Java Library)
| HTTPS
| Yes
| 7.5
| Network
| Low
| None
| None
| Un-
changed
| None
| None
| High
| IDIH: 8.0.0-8.2.2
|
|
|---|
| CVE-2019-12402 | Oracle Communications Element Manager
| Core (Apache Commons Compress)
| HTTP
| Yes
| 7.5
| Network
| Low
| None
| None
| Un-
changed
| None
| None
| High
| 8.2.0-8.2.2
|
|
|---|
| CVE-2020-11080 | Oracle Communications Session Border Controller
| System (http2)
| HTTP
| Yes
| 7.5
| Network
| Low
| None
| None
| Un-
changed
| None
| None
| High
| 8.3, 8.4
|
|
|---|
| CVE-2019-12402 | Oracle Communications Session Report Manager
| Core (Apache Commons Compress)
| HTTP
| Yes
| 7.5
| Network
| Low
| None
| None
| Un-
changed
| None
| None
| High
| 8.2.0-8.2.2
|
|
|---|
| CVE-2019-12402 | Oracle Communications Session Route Manager
| Core (Apache Commons Compress)
| HTTP
| Yes
| 7.5
| Network
| Low
| None
| None
| Un-
changed
| None
| None
| High
| 8.2.0-8.2.2
|
|
|---|
| CVE-2019-17359 | Oracle Communications Session Route Manager
| Core (Bouncy Castle Java Library)
| HTTPS
| Yes
| 7.5
| Network
| Low
| None
| None
| Un-
changed
| None
| None
| High
| 8.2.0-8.2.2
|
|
|---|
| CVE-2019-10173 | Oracle Communications Diameter Signaling Router (DSR)
| IDIH (xstream)
| HTTP
| Yes
| 7.3
| Network
| Low
| None
| None
| Un-
changed
| Low
| Low
| Low
| IDIH: 8.0.0-8.2.2
|
|
|---|
| CVE-2020-9484 | Oracle Communications Diameter Signaling Router (DSR)
| Core (Apache Tomcat)
| None
| No
| 7.0
| Local
| High
| Low
| None
| Un-
changed
| High
| High
| High
| 8.0.0.0-8.4.0.5
|
|
|---|
| CVE-2020-9484 | Oracle Communications Element Manager
| Core (Apache Tomcat)
| None
| No
| 7.0
| Local
| High
| Low
| None
| Un-
changed
| High
| High
| High
| 8.2.0-8.2.2
|
|
|---|
| CVE-2020-9484 | Oracle Communications Session Report Manager
| Core (Apache Tomcat)
| None
| No
| 7.0
| Local
| High
| Low
| None
| Un-
changed
| High
| High
| High
| 8.2.0-8.2.2
|
|
|---|
| CVE-2020-9484 | Oracle Communications Session Route Manager
| Core (Apache Tomcat)
| None
| No
| 7.0
| Local
| High
| Low
| None
| Un-
changed
| High
| High
| High
| 8.2.0-8.2.2
|
|
|---|
| CVE-2020-1945 | Oracle Communications Diameter Signaling Router (DSR)
| IDIH (Apache Ant)
| None
| No
| 6.7
| Local
| High
| None
| None
| Un-
changed
| High
| High
| None
| IDIH: 8.0.0-8.2.2
|
|
|---|
| CVE-2020-10722 | Oracle Communications Session Border Controller
| Platform (DPDK)
| None
| No
| 6.7
| Local
| Low
| High
| None
| Un-
changed
| High
| High
| High
| 8.2-8.4
|
|
|---|
| CVE-2020-5408 | Oracle Communications Element Manager
| Core (Spring Security)
| HTTP
| No
| 6.5
| Network
| Low
| Low
| None
| Un-
changed
| High
| None
| None
| 8.2.0-8.2.2
|
|
|---|
| CVE-2020-5408 | Oracle Communications Session Report Manager
| Core (Spring Security)
| HTTP
| No
| 6.5
| Network
| Low
| Low
| None
| Un-
changed
| High
| None
| None
| 8.2.0-8.2.2
|
|
|---|
| CVE-2020-5408 | Oracle Communications Session Route Manager
| Core (Spring Security)
| HTTP
| No
| 6.5
| Network
| Low
| Low
| None
| Un-
changed
| High
| None
| None
| 8.2.0-8.2.2
|
|
|---|
| CVE-2020-11022 | Oracle Communications Application Session Controller
| Core (jQuery)
| HTTP
| Yes
| 6.1
| Network
| Low
| None
| Required
| Changed
| Low
| Low
| None
| 3.8m0
|
|
|---|
| CVE-2020-1941 | Oracle Communications Diameter Signaling Router (DSR)
| IDIH (Apache ActiveMQ)
| HTTP
| Yes
| 6.1
| Network
| Low
| None
| Required
| Changed
| Low
| Low
| None
| IDIH: 8.0.0-8.2.2
|
|
|---|
| CVE-2020-11022 | Oracle Communications Diameter Signaling Router (DSR)
| IDIH (jQuery)
| HTTP
| Yes
| 6.1
| Network
| Low
| None
| Required
| Changed
| Low
| Low
| None
| IDIH: 8.0.0-8.2.2
|
|
|---|
| CVE-2019-17091 | Oracle Communications Diameter Signaling Router (DSR)
| Platform (Eclipse Mojarra)
| HTTP
| Yes
| 6.1
| Network
| Low
| None
| Required
| Changed
| Low
| Low
| None
| 8.0.0.0-8.4.0.5
|
|
|---|
| CVE-2020-14788 | Oracle Communications Diameter Signaling Router (DSR)
| User Interface
| HTTP
| Yes
| 6.1
| Network
| Low
| None
| Required
| Changed
| Low
| Low
| None
| 8.0.0.0-8.4.0.5
|
|
|---|
| CVE-2020-11022 | Oracle Communications WebRTC Session Controller
| ME (jQuery)
| HTTP
| Yes
| 6.1
| Network
| Low
| None
| Required
| Changed
| Low
| Low
| None
| 7.2
|
|
|---|
| CVE-2020-11022 | Oracle Enterprise Session Border Controller
| Core (jQuery)
| HTTP
| Yes
| 6.1
| Network
| Low
| None
| Required
| Changed
| Low
| Low
| None
| 8.4
|
|
|---|
| CVE-2019-12415 | Oracle Communications Diameter Signaling Router (DSR)
| IDIH (Apache POI)
| None
| No
| 5.5
| Local
| Low
| Low
| None
| Un-
changed
| High
| None
| None
| IDIH: 8.0.0-8.2.2
|
|
|---|
| CVE-2020-14787 | Oracle Communications Diameter Signaling Router (DSR)
| User Interface
| HTTP
| No
| 5.4
| Network
| Low
| Low
| Required
| Changed
| Low
| Low
| None
| 8.0.0.0-8.4.0.5
|
|
|---|
| CVE-2019-11048 | Oracle Communications Diameter Signaling Router (DSR)
| Core (PHP)
| HTTP
| Yes
| 5.3
| Network
| Low
| None
| None
| Un-
changed
| None
| None
| Low
| 8.0.0.0-8.4.0.5
|
|
|---|
| CVE-2020-1954 | Oracle Communications Diameter Signaling Router (DSR)
| IDIH (Apache CXF)
| HTTP
| Yes
| 5.3
| Adjacent
Network
| High
| None
| None
| Un-
changed
| High
| None
| None
| IDIH: 8.0.0-8.2.2
|
|
|---|
| CVE-2020-1954 | Oracle Communications Element Manager
| Core (Apache CXF)
| HTTP
| Yes
| 5.3
| Adjacent
Network
| High
| None
| None
| Un-
changed
| High
| None
| None
| 8.2.0-8.2.2
|
|
|---|
| CVE-2020-1954 | Oracle Communications Session Report Manager
| Core (Apache CXF)
| HTTP
| Yes
| 5.3
| Adjacent
Network
| High
| None
| None
| Un-
changed
| High
| None
| None
| 8.2.0-8.2.2
|
|
|---|
| CVE-2020-1954 | Oracle Communications Session Route Manager
| Core (Apache CXF)
| HTTP
| Yes
| 5.3
| Adjacent
Network
| High
| None
| None
| Un-
changed
| High
| None
| None
| 8.2.0-8.2.2
|
|
|---|
| CVE-2020-9488 | Oracle Communications Application Session Controller
| WS and WEB (Apache Log4j)
| SMTPS
| Yes
| 3.7
| Network
| High
| None
| None
| Un-
changed
| Low
| None
| None
| 3.9m0p1
|
|
|---|
| CVE-2020-9488 | Oracle Communications Services Gatekeeper
| Media Control UI (Apache Log4j)
| SMTPS
| Yes
| 3.7
| Network
| High
| None
| None
| Un-
changed
| Low
| None
| None
| 7
|
|
|---|
Additional CVEs addressed are:- The patch for CVE-2019-11048 also addresses CVE-2020-7067
- The patch for CVE-2019-12260 also addresses CVE-2019-12261
- The patch for CVE-2019-13990 also addresses CVE-2019-5427
- The patch for CVE-2019-17638 also addresses CVE-2019-17632
- The patch for CVE-2020-10722 also addresses CVE-2020-10723 and CVE-2020-10724
- The patch for CVE-2020-11022 also
addresses CVE-2020-11023
- The patch for CVE-2020-11080 also addresses CVE-2019-5436, CVE-2019-5481, CVE-2019-5482, CVE-2019-9511 and CVE-2019-9513
- The patch for CVE-2020-11973 also addresses CVE-2020-11971 and CVE-2020-11972
- The patch for CVE-2020-11984 also addresses CVE-2020-11993 and CVE-2020-9490
- The patch for CVE-2020-14195 also addresses CVE-2020-10650, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112,
CVE-2020-11113, CVE-2020-14060, CVE-2020-14061, CVE-2020-14062, CVE-2020-9546, CVE-2020-9547 and CVE-2020-9548
- The patch for CVE-2020-1941 also addresses CVE-2020-13920
- The patch for CVE-2020-1945 also addresses CVE-2017-5645
- The patch for CVE-2020-1954 also addresses CVE-2019-12423
- The patch for CVE-2020-5398 also addresses CVE-2020-5397
- The patch for CVE-2020-5408 also addresses CVE-2020-5407
Oracle Construction
and Engineering Risk MatrixThis Critical Patch Update contains 9 new security patches for Oracle Construction and Engineering. 7 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
| CVE# | Product | Component | Protocol | Remote
Exploit
without
Auth.? | CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes |
|---|
Base
Score | Attack
Vector | Attack
Complex | Privs
Req'd | User
Interact | Scope | Confid-
entiality | Inte-
grity | Avail-
ability |
|---|
| CVE-2020-11984 | Instantis EnterpriseTrack
| Core (Apache HTTP Server)
| HTTP
| Yes
| 9.8
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| High
| 17.1, 17.2, 17.3
|
|
|---|
| CVE-2019-17495 | Primavera Gateway
| Admin (Swagger UI)
| HTTP
| Yes
| 9.8
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| High
| 16.2.0-16.2.11, 17.12.0-17.12.8
|
|
|---|
| CVE-2015-1832 | Primavera Unifier
| Platform (Apache Derby)
| HTTP
| Yes
| 9.1
| Network
| Low
| None
| None
| Un-
changed
| High
| None
| High
| 16.1, 16.2, 17.7-17.12, 18.8, 19.12
|
|
|---|
| CVE-2017-9096 | Primavera Unifier
| Platform (iText)
| HTTP
| Yes
| 8.8
| Network
| Low
| None
| Required
| Un-
changed
| High
| High
| High
| 16.1, 16.2, 17.7-17.12, 18.8, 19.12
|
|
|---|
| CVE-2020-13935 | Instantis EnterpriseTrack
| Core (Apache Tomcat)
| HTTP
| Yes
| 7.5
| Network
| Low
| None
| None
| Un-
changed
| None
| None
| High
| 17.1, 17.2, 17.3
|
|
|---|
| CVE-2019-17558 | Primavera Unifier
| Platform (Apache Solr)
| HTTP
| No
| 7.5
| Network
| High
| Low
| None
| Un-
changed
| High
| High
| High
| 16.1, 16.2, 17.7-17.12, 18.8, 19.12
|
|
|---|
| CVE-2018-17196 | Primavera Unifier
| Core (Apache Kafka)
| HTTP
| Yes
| 7.0
| Network
| High
| None
| None
| Un-
changed
| High
| Low
| Low
| 18.8, 19.12
|
|
|---|
| CVE-2020-9489 | Primavera Unifier
| Platform (Apache Tika)
| None
| No
| 5.5
| Local
| Low
| None
| Required
| Un-
changed
| None
| None
| High
| 16.1, 16.2, 17.7-17.12, 18.8, 19.12
|
|
|---|
| CVE-2020-9488 | Primavera Unifier
| Core (Apache Log4j)
| SMTPS
| Yes
| 3.7
| Network
| High
| None
| None
| Un-
changed
| Low
| None
| None
| 18.8, 19.12
|
|
|---|
Additional CVEs addressed are:- The patch for CVE-2020-11984 also addresses CVE-2020-11993 and CVE-2020-9490
- The patch for CVE-2020-13935 also addresses CVE-2020-13934
Oracle E-Business Suite Risk MatrixThis Critical Patch Update contains 27 new security patches for Oracle E-Business Suite. 25 of these vulnerabilities may be remotely exploitable without
authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here. Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business
Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security updates are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle recommends that customers apply the October 2020 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware
components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Release 12 Critical Patch Update Knowledge Document (October 2020), My Oracle Support Note 2707309.1.
| CVE# | Product | Component | Protocol | Remote
Exploit
without
Auth.? | CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes |
|---|
Base
Score | Attack
Vector | Attack
Complex | Privs
Req'd | User
Interact | Scope | Confid-
entiality | Inte-
grity | Avail-
ability |
|---|
| CVE-2020-14855 | Oracle Universal Work Queue
| Work Provider Administration
| HTTP
| Yes
| 9.8
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| High
| 12.1.3
|
|
|---|
| CVE-2020-14805 | Oracle E-Business Suite Secure Enterprise Search
| Search Integration Engine
| HTTP
| Yes
| 9.1
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| None
| 12.1.3, 12.2.3 - 12.2.10
|
|
|---|
| CVE-2020-14875 | Oracle Marketing
| Marketing Administration
| HTTP
| Yes
| 9.1
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| None
| 12.1.1 - 12.1.3, 12.2.3 - 12.2.10
|
|
|---|
| CVE-2020-14876 | Oracle Trade Management
| User Interface
| HTTP
| Yes
| 9.1
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| None
| 12.1.1 - 12.1.3, 12.2.3 - 12.2.10
|
|
|---|
| CVE-2020-14862 | Oracle Universal Work Queue
| Internal Operations
| HTTP
| No
| 8.8
| Network
| Low
| Low
| None
| Un-
changed
| High
| High
| High
| 12.2.3 - 12.2.9
|
|
|---|
| CVE-2020-14850 | Oracle CRM Technical Foundation
| Flex Fields
| HTTP
| Yes
| 8.2
| Network
| Low
| None
| Required
| Changed
| High
| Low
| None
| 12.1.3, 12.2.3 - 12.2.10
|
|
|---|
| CVE-2020-14816 | Oracle Marketing
| Marketing Administration
| HTTP
| Yes
| 8.2
| Network
| Low
| None
| Required
| Changed
| High
| Low
| None
| 12.1.1 - 12.1.3, 12.2.3 - 12.2.10
|
|
|---|
| CVE-2020-14817 | Oracle Marketing
| Marketing Administration
| HTTP
| Yes
| 8.2
| Network
| Low
| None
| Required
| Changed
| High
| Low
| None
| 12.1.1 - 12.1.3, 12.2.3 - 12.2.10
|
|
|---|
| CVE-2020-14831 | Oracle Marketing
| Marketing Administration
| HTTP
| Yes
| 8.2
| Network
| Low
| None
| Required
| Changed
| High
| Low
| None
| 12.1.1 - 12.1.3, 12.2.3 - 12.2.10
|
|
|---|
| CVE-2020-14835 | Oracle Marketing
| Marketing Administration
| HTTP
| Yes
| 8.2
| Network
| Low
| None
| Required
| Changed
| High
| Low
| None
| 12.1.1 - 12.1.3
|
|
|---|
| CVE-2020-14849 | Oracle Marketing
| Marketing Administration
| HTTP
| Yes
| 8.2
| Network
| Low
| None
| Required
| Changed
| High
| Low
| None
| 12.1.1 - 12.1.3, 12.2.3 - 12.2.10
|
|
|---|
| CVE-2020-14819 | Oracle One-to-One Fulfillment
| Print Server
| HTTP
| Yes
| 8.2
| Network
| Low
| None
| Required
| Changed
| High
| Low
| None
| 12.1.3
|
|
|---|
| CVE-2020-14863 | Oracle One-to-One Fulfillment
| Print Server
| HTTP
| Yes
| 8.2
| Network
| Low
| None
| Required
| Changed
| High
| Low
| None
| 12.1.1 - 12.1.3
|
|
|---|
| CVE-2020-14808 | Oracle Trade Management
| User Interface
| HTTP
| Yes
| 8.2
| Network
| Low
| None
| Required
| Changed
| High
| Low
| None
| 12.1.3, 12.2.3 - 12.2.10
|
|
|---|
| CVE-2020-14833 | Oracle Trade Management
| User Interface
| HTTP
| Yes
| 8.2
| Network
| Low
| None
| Required
| Changed
| High
| Low
| None
| 12.1.1 - 12.1.3, 12.2.3 - 12.2.10
|
|
|---|
| CVE-2020-14834 | Oracle Trade Management
| User Interface
| HTTP
| Yes
| 8.2
| Network
| Low
| None
| Required
| Changed
| High
| Low
| None
| 12.1.1 - 12.1.3, 12.2.3 - 12.2.10
|
|
|---|
| CVE-2020-14851 | Oracle Trade Management
| User Interface
| HTTP
| Yes
| 8.2
| Network
| Low
| None
| Required
| Changed
| High
| Low
| None
| 12.1.1 - 12.1.3, 12.2.3 - 12.2.10
|
|
|---|
| CVE-2020-14856 | Oracle Trade Management
| User Interface
| HTTP
| Yes
| 8.2
| Network
| Low
| None
| Required
| Changed
| High
| Low
| None
| 12.1.1 - 12.1.3, 12.2.3 - 12.2.10
|
|
|---|
| CVE-2020-14857 | Oracle Trade Management
| User Interface
| HTTP
| Yes
| 8.2
| Network
| Low
| None
| Required
| Changed
| High
| Low
| None
| 12.1.1 - 12.1.3, 12.2.3 - 12.2.10
|
|
|---|
| CVE-2020-14774 | Oracle CRM Technical Foundation
| Preferences
| HTTP
| Yes
| 7.5
| Network
| Low
| None
| None
| Un-
changed
| None
| None
| High
| 12.1.1 - 12.1.3, 12.2.3 - 12.2.10
|
|
|---|
| CVE-2020-14761 | Oracle Applications Manager
| Oracle Diagnostics Interfaces
| HTTP
| Yes
| 6.5
| Network
| Low
| None
| None
| Un-
changed
| Low
| Low
| None
| 12.1.3, 12.2.3 - 12.2.7
|
|
|---|
| CVE-2020-14823 | Oracle CRM Technical Foundation
| Preferences
| HTTP
| No
| 6.5
| Network
| Low
| High
| None
| Un-
changed
| High
| High
| None
| 12.2.3 - 12.2.10
|
|
|---|
| CVE-2020-14811 | Oracle Applications Manager
| AMP EBS Integration
| HTTP
| Yes
| 5.3
| Network
| Low
| None
| None
| Un-
changed
| Low
| None
| None
| 12.1.3, 12.2.3 - 12.2.10
|
|
|---|
| CVE-2020-14826 | Oracle Applications Manager
| SQL Extensions
| HTTP
| Yes
| 5.3
| Network
| Low
| None
| None
| Un-
changed
| Low
| None
| None
| 12.1.3, 12.2.3 - 12.2.10
|
|
|---|
| CVE-2020-14840 | Oracle Application Object Library
| Diagnostics
| HTTP
| Yes
| 4.7
| Network
| Low
| None
| Required
| Changed
| None
| Low
| None
| 12.1.3, 12.2.3 - 12.2.10
|
|
|---|
| CVE-2020-14746 | Oracle Applications Framework
| Popup windows
| HTTP
| Yes
| 4.7
| Network
| Low
| None
| Required
| Changed
| None
| Low
| None
| 12.1.3, 12.2.3 - 12.2.10
|
|
|---|
| CVE-2020-14822 | Oracle Installed Base
| APIs
| HTTP
| Yes
| 4.7
| Network
| Low
| None
| Required
| Changed
| None
| Low
| None
| 12.1.1 - 12.1.3, 12.2.3 - 12.2.10
|
|
|---|
Oracle Enterprise Manager Risk MatrixThis Critical Patch Update contains 11 new security patches for Oracle Enterprise Manager. 10 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these patches are applicable to client-only installations, i.e., installations that do not have Oracle Enterprise Manager
installed. The English text form of this Risk Matrix can be found here. Oracle Enterprise Manager products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle Enterprise Manager products is dependent on the Oracle Database and Oracle Fusion Middleware
versions being used. Oracle Database and Oracle Fusion Middleware security updates are not listed in the Oracle Enterprise Manager risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle Enterprise Manager products, Oracle recommends that customers apply the October 2020 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Enterprise Manager. For information on what patches need to be applied
to your environments, refer to Critical Patch Update October 2020 Patch Availability Document for Oracle Products, My Oracle Support Note 2694898.1.
| CVE# | Product | Component | Protocol | Remote
Exploit
without
Auth.? | CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes |
|---|
Base
Score | Attack
Vector | Attack
Complex | Privs
Req'd | User
Interact | Scope | Confid-
entiality | Inte-
grity | Avail-
ability |
|---|
| CVE-2019-13990 | Enterprise Manager Ops Center
| Agent Provisioning (Quartz Scheduler)
| HTTP
| Yes
| 9.8
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| High
| 12.4.0.0
|
|
|---|
| CVE-2018-11058 | Oracle Application Testing Suite
| Load Testing for Web Apps (RSA BSAFE Crypto-C)
| HTTP
| Yes
| 9.8
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| High
| 13.3.0.1
|
|
|---|
| CVE-2019-17638 | Oracle Application Testing Suite
| Load Testing for Web Apps (Eclipse Jetty)
| HTTP
| Yes
| 9.4
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| Low
| 13.3.0.1
|
|
|---|
| CVE-2020-5398 | Enterprise Manager Base Platform
| Connector Framework (Spring Framework)
| HTTP
| Yes
| 7.5
| Network
| High
| None
| Required
| Un-
changed
| High
| High
| High
| 13.2.1.0
|
|
|---|
| CVE-2020-1967 | Enterprise Manager for Storage Management
| Privilege Management (OpenSSL)
| HTTPS
| Yes
| 7.5
| Network
| Low
| None
| None
| Un-
changed
| None
| None
| High
| 13.3.0.0, 13.4.0.0
|
|
|---|
| CVE-2020-5398 | Oracle Application Testing Suite
| Load Testing for Web Apps (Spring Framework)
| HTTP
| Yes
| 7.5
| Network
| High
| None
| Required
| Un-
changed
| High
| High
| High
| 13.3.0.1
|
|
|---|
| CVE-2019-3740 | Application Performance Management (APM)
| Comp Management and Life Cycle Management (RSA BSAFE Crypto-J)
| HTTPS
| Yes
| 6.5
| Network
| Low
| None
| Required
| Un-
changed
| High
| None
| None
| 13.3.0.0, 13.4.0.0
|
|
|---|
| CVE-2019-2897 | Enterprise Manager Base Platform
| Event Management
| HTTP
| No
| 6.4
| Network
| Low
| Low
| None
| Changed
| Low
| Low
| None
| 13.3.0.0, 13.4.0.0
|
|
|---|
| CVE-2020-11022 | Enterprise Manager Ops Center
| Reports in Ops Center (jQuery)
| HTTP
| Yes
| 6.1
| Network
| Low
| None
| Required
| Changed
| Low
| Low
| None
| 12.4.0.0
|
|
|---|
| CVE-2020-1954 | Enterprise Manager Base Platform
| Connector Framework (Apache CXF)
| HTTP
| Yes
| 5.3
| Adjacent
Network
| High
| None
| None
| Un-
changed
| High
| None
| None
| 13.2.1.0
|
|
|---|
| CVE-2020-9488 | Enterprise Manager for Peoplesoft
| PSEM Plugin (Apache Log4j)
| SMTPS
| Yes
| 3.7
| Network
| High
| None
| None
| Un-
changed
| Low
| None
| None
| 13.4.1.1
|
|
|---|
Additional CVEs addressed are:- The patch for CVE-2018-11058 also addresses CVE-2016-0701, CVE-2016-2183, CVE-2016-6306, CVE-2016-8610, CVE-2018-11054, CVE-2018-11055, CVE-2018-11056, CVE-2018-11057 and CVE-2018-15769
- The patch for CVE-2019-13990 also addresses CVE-2019-5427
- The patch for CVE-2019-17638 also addresses CVE-2019-17632
- The patch for CVE-2019-3740 also addresses CVE-2019-3738 and
CVE-2019-3739
- The patch for CVE-2020-1954 also addresses CVE-2019-12419
- The patch for CVE-2020-5398 also addresses CVE-2020-5397
Oracle Financial Services Applications Risk MatrixThis Critical Patch Update contains 53 new security patches for Oracle Financial Services Applications. 49 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user
credentials. The English text form of this Risk Matrix can be found here.
| CVE# | Product | Component | Protocol | Remote
Exploit
without
Auth.? | CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes |
|---|
Base
Score | Attack
Vector | Attack
Complex | Privs
Req'd | User
Interact | Scope | Confid-
entiality | Inte-
grity | Avail-
ability |
|---|
| CVE-2019-17495 | Oracle Banking Platform
| Collections (Swagger UI)
| HTTP
| Yes
| 9.8
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| High
| 2.4.0-2.10.0
|
|
|---|
| CVE-2020-10683 | Oracle Banking Platform
| Collections (dom4j)
| HTTP
| Yes
| 9.8
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| High
| 2.4.0-2.10.0
|
|
|---|
| CVE-2019-10173 | Oracle Banking Platform
| Collections (xstream)
| HTTP
| Yes
| 9.8
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| High
| 2.4.0-2.10.0
|
|
|---|
| CVE-2020-10683 | Oracle Financial Services Analytical Applications Infrastructure
| Infrastructure (dom4j)
| HTTP
| Yes
| 9.8
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| High
| 8.0.6-8.1.0
|
|
|---|
| CVE-2020-9546 | Oracle Financial Services Analytical Applications Infrastructure
| Infrastructure (jackson-databind)
| HTTP
| Yes
| 9.8
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| High
| 8.0.6-8.1.0
|
|
|---|
| CVE-2020-9546 | Oracle Financial Services Institutional Performance Analytics
| User Interface (jackson-databind)
| HTTP
| Yes
| 9.8
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| High
| 8.0.6, 8.7.0, 8.1.0
|
|
|---|
| CVE-2020-9546 | Oracle Financial Services Price Creation and Discovery
| User Interface (jackson-databind)
| HTTP
| Yes
| 9.8
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| High
| 8.0.6, 8.0.7
|
|
|---|
| CVE-2017-5645 | Oracle Financial Services Regulatory Reporting with AgileREPORTER
| Core (Apache Ant)
| Multiple
| Yes
| 9.8
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| High
| 8.0.9.2.0
|
|
|---|
| CVE-2020-9546 | Oracle Financial Services Retail Customer Analytics
| User Interface (jackson-databind)
| HTTP
| Yes
| 9.8
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| High
| 8.0.6
|
|
|---|
| CVE-2020-11973 | Oracle FLEXCUBE Private Banking
| Core (Apache Camel)
| HTTP
| Yes
| 9.8
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| High
| 12.0.0, 12.1.0
|
|
|---|
| CVE-2020-14824 | Oracle Financial Services Analytical Applications Infrastructure
| Infrastructure
| HTTP
| Yes
| 8.6
| Network
| Low
| None
| None
| Changed
| None
| None
| High
| 8.0.6-8.1.0
|
|
|---|
| CVE-2020-14195 | Oracle Banking Digital Experience
| Framework (jackson-databind)
| HTTPS
| Yes
| 8.1
| Network
| High
| None
| None
| Un-
changed
| High
| High
| High
| 18.1, 18.2, 18.3, 19.1, 19.2, 20.1
|
|
|---|
| CVE-2020-5398 | Oracle Financial Services Regulatory Reporting with AgileREPORTER
| Core (Spring Framework)
| HTTP
| Yes
| 7.5
| Network
| High
| None
| Required
| Un-
changed
| High
| High
| High
| 8.0.9.2.0
|
|
|---|
| CVE-2020-5398 | Oracle FLEXCUBE Private Banking
| Core (Spring Framework)
| HTTP
| Yes
| 7.5
| Network
| High
| None
| Required
| Un-
changed
| High
| High
| High
| 12.0.0, 12.1.0
|
|
|---|
| CVE-2020-14894 | Oracle Banking Corporate Lending
| Core
| HTTP
| No
| 6.5
| Network
| Low
| Low
| None
| Un-
changed
| High
| None
| None
| 12.3.0, 14.0.0-14.4.0
|
|
|---|
| CVE-2020-14896 | Oracle Banking Payments
| Core
| HTTP
| No
| 6.5
| Network
| Low
| Low
| None
| Un-
changed
| High
| None
| None
| 14.1.0-14.4.0
|
|
|---|
| CVE-2020-14890 | Oracle FLEXCUBE Direct Banking
| Pre Login
| HTTP
| Yes
| 6.5
| Network
| Low
| None
| Required
| Un-
changed
| High
| None
| None
| 12.0.1, 12.0.2, 12.0.3
|
|
|---|
| CVE-2020-14897 | Oracle FLEXCUBE Direct Banking
| Pre Login
| HTTP
| Yes
| 6.5
| Network
| Low
| None
| Required
| Un-
changed
| High
| None
| None
| 12.0.1, 12.0.2, 12.0.3
|
|
|---|
| CVE-2020-14887 | Oracle FLEXCUBE Universal Banking
| Infrastructure
| HTTP
| No
| 6.5
| Network
| Low
| Low
| None
| Un-
changed
| High
| None
| None
| 12.3.0, 14.0.0-14.4.0
|
|
|---|
| CVE-2020-11022 | Oracle Banking Digital Experience
| Framework (jQuery)
| HTTP
| Yes
| 6.1
| Network
| Low
| None
| Required
| Changed
| Low
| Low
| None
| 18.1, 18.2, 18.3, 19.1, 19.2, 20.1
|
|
|---|
| CVE-2020-11022 | Oracle Financial Services Analytical Applications Infrastructure
| Infrastructure (jQuery)
| HTTP
| Yes
| 6.1
| Network
| Low
| None
| Required
| Changed
| Low
| Low
| None
| 8.0.6-8.1.0
|
|
|---|
| CVE-2020-11022 | Oracle Financial Services Analytical Applications Reconciliation Framework
| User Interface (jQuery)
| HTTP
| Yes
| 6.1
| Network
| Low
| None
| Required
| Changed
| Low
| Low
| None
| 8.0.6-8.0.8, 8.1.0
|
|
|---|
| CVE-2020-11022 | Oracle Financial Services Asset Liability Management
| User Interface (jQuery)
| HTTP
| Yes
| 6.1
| Network
| Low
| None
| Required
| Changed
| Low
| Low
| None
| 8.0.6, 8.0.7, 8.1.0
|
|
|---|
| CVE-2020-11022 | Oracle Financial Services Balance Sheet Planning
| User Interface (jQuery)
| HTTP
| Yes
| 6.1
| Network
| Low
| None
| Required
| Changed
| Low
| Low
| None
| 8.0.8
|
|
|---|
| CVE-2020-11022 | Oracle Financial Services Basel Regulatory Capital Basic
| User Interface (jQuery)
| HTTP
| Yes
| 6.1
| Network
| Low
| None
| Required
| Changed
| Low
| Low
| None
| 8.0.6-8.0.8, 8.1.0
|
|
|---|
| CVE-2020-11022 | Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach
| User Interface (jQuery)
| HTTP
| Yes
| 6.1
| Network
| Low
| None
| Required
| Changed
| Low
| Low
| None
| 8.0.6-8.0.8, 8.1.0
|
|
|---|
| CVE-2020-11022 | Oracle Financial Services Data Foundation
| Infrastructure (jQuery)
| HTTP
| Yes
| 6.1
| Network
| Low
| None
| Required
| Changed
| Low
| Low
| None
| 8.0.6-8.1.0
|
|
|---|
| CVE-2020-11022 | Oracle Financial Services Data Governance for US Regulatory Reporting
| User Interface (jQuery)
| HTTP
| Yes
| 6.1
| Network
| Low
| None
| Required
| Changed
| Low
| Low
| None
| 8.0.6-8.0.9
|
|
|---|
| CVE-2020-11022 | Oracle Financial Services Data Integration Hub
| User Interface (jQuery)
| HTTP
| Yes
| 6.1
| Network
| Low
| None
| Required
| Changed
| Low
| Low
| None
| 8.0.6, 8.0.7, 8.1.0
|
|
|---|
| CVE-2020-11022 | Oracle Financial Services Funds Transfer Pricing
| User Interface (jQuery)
| HTTP
| Yes
| 6.1
| Network
| Low
| None
| Required
| Changed
| Low
| Low
| None
| 8.0.6, 8.0.7, 8.1.0
|
|
|---|
| CVE-2020-11022 | Oracle Financial Services Hedge Management and IFRS Valuations
| User Interface (jQuery)
| HTTP
| Yes
| 6.1
| Network
| Low
| None
| Required
| Changed
| Low
| Low
| None
| 8.0.6-8.0.8, 8.1.0
|
|
|---|
| CVE-2020-11022 | Oracle Financial Services Institutional Performance Analytics
| User Interface (jQuery)
| HTTP
| Yes
| 6.1
| Network
| Low
| None
| Required
| Changed
| Low
| Low
| None
| 8.0.6, 8.0.7, 8.1.0
|
|
|---|
| CVE-2020-11022 | Oracle Financial Services Liquidity Risk Management
| User Interface (jQuery)
| HTTP
| Yes
| 6.1
| Network
| Low
| None
| Required
| Changed
| Low
| Low
| None
| 8.0.6
|
|
|---|
| CVE-2020-11022 | Oracle Financial Services Liquidity Risk Measurement and Management
| User Interface (jQuery)
| HTTP
| Yes
| 6.1
| Network
| Low
| None
| Required
| Changed
| Low
| Low
| None
| 8.0.7, 8.0.8, 8.1.0
|
|
|---|
| CVE-2020-11022 | Oracle Financial Services Loan Loss Forecasting and Provisioning
| User Interface (jQuery)
| HTTP
| Yes
| 6.1
| Network
| Low
| None
| Required
| Changed
| Low
| Low
| None
| 8.0.6-8.0.8, 8.1.0
|
|
|---|
| CVE-2020-11022 | Oracle Financial Services Market Risk Measurement and Management
| Infrastructure (jQuery)
| HTTP
| Yes
| 6.1
| Network
| Low
| None
| Required
| Changed
| Low
| Low
| None
| 8.0.6, 8.0.8
|
|
|---|
| CVE-2020-11022 | Oracle Financial Services Price Creation and Discovery
| User Interface (jQuery)
| HTTP
| Yes
| 6.1
| Network
| Low
| None
| Required
| Changed
| Low
| Low
| None
| 8.0.6, 8.0.7
|
|
|---|
| CVE-2020-11022 | Oracle Financial Services Profitability Management
| User Interface (jQuery)
| HTTP
| Yes
| 6.1
| Network
| Low
| None
| Required
| Changed
| Low
| Low
| None
| 8.0.6, 8.0.7, 8.1.0
|
|
|---|
| CVE-2020-11022 | Oracle Financial Services Regulatory Reporting for European Banking Authority
| User Interface (jQuery)
| HTTP
| Yes
| 6.1
| Network
| Low
| None
| Required
| Changed
| Low
| Low
| None
| 8.0.6-8.1.0
|
|
|---|
| CVE-2020-11022 | Oracle Financial Services Regulatory Reporting for US Federal Reserve
| User Interface (jQuery)
| HTTP
| Yes
| 6.1
| Network
| Low
| None
| Required
| Changed
| Low
| Low
| None
| 8.0.6-8.0.9
|
|
|---|
| CVE-2020-1941 | Oracle FLEXCUBE Private Banking
| Core (Apache ActiveMQ)
| HTTP
| Yes
| 6.1
| Network
| Low
| None
| Required
| Changed
| Low
| Low
| None
| 12.0.0, 12.1.0
|
|
|---|
| CVE-2020-11022 | Oracle Insurance Accounting Analyzer
| IFRS17 (jQuery)
| HTTP
| Yes
| 6.1
| Network
| Low
| None
| Required
| Changed
| Low
| Low
| None
| 8.0.9
|
|
|---|
| CVE-2020-11022 | Oracle Insurance Allocation Manager for Enterprise Profitability
| User Interface (jQuery)
| HTTP
| Yes
| 6.1
| Network
| Low
| None
| Required
| Changed
| Low
| Low
| None
| 8.0.8, 8.1.0
|
|
|---|
| CVE-2020-11022 | Oracle Insurance Data Foundation
| Infrastructure (jQuery)
| HTTP
| Yes
| 6.1
| Network
| Low
| None
| Required
| Changed
| Low
| Low
| None
| 8.0.6-8.1.0
|
|
|---|
| CVE-2020-1951 | Oracle FLEXCUBE Private Banking
| Core (Apache Tika)
| None
| No
| 5.5
| Local
| Low
| None
| Required
| Un-
changed
| None
| None
| High
| 12.0.0, 12.1.0
|
|
|---|
| CVE-2019-10247 | Oracle FLEXCUBE Core Banking
| Core (Eclipse Jetty)
| HTTP
| Yes
| 5.3
| Network
| Low
| None
| None
| Un-
changed
| Low
| None
| None
| 5.2.0, 11.5.0-11.7.0
|
|
|---|
| CVE-2020-9488 | Oracle Financial Services Analytical Applications Infrastructure
| Infrastructure (Apache Log4j)
| SMTPS
| Yes
| 3.7
| Network
| High
| None
| None
| Un-
changed
| Low
| None
| None
| 8.0.6-8.1.0
|
|
|---|
| CVE-2020-9488 | Oracle Financial Services Institutional Performance Analytics
| User Interface (Apache Log4j)
| SMTPS
| Yes
| 3.7
| Network
| High
| None
| None
| Un-
changed
| Low
| None
| None
| 8.0.6, 8.7.0, 8.1.0
|
|
|---|
| CVE-2020-9488 | Oracle Financial Services Market Risk Measurement and Management
| Infrastructure (Apache log4j)
| SMTPS
| Yes
| 3.7
| Network
| High
| None
| None
| Un-
changed
| Low
| None
| None
| 8.0.6, 8.0.8, 8.1.0
|
|
|---|
| CVE-2020-9488 | Oracle Financial Services Price Creation and Discovery
| User Interface (Apache Log4j)
| SMTPS
| Yes
| 3.7
| Network
| High
| None
| None
| Un-
changed
| Low
| None
| None
| 8.0.6, 8.0.7
|
|
|---|
| CVE-2020-9488 | Oracle Financial Services Retail Customer Analytics
| User Interface (Apache Log4j)
| SMTPS
| Yes
| 3.7
| Network
| High
| None
| None
| Un-
changed
| Low
| None
| None
| 8.0.6
|
|
|---|
| CVE-2020-9488 | Oracle FLEXCUBE Core Banking
| Core (Apache Log4j)
| SMTPS
| Yes
| 3.7
| Network
| High
| None
| None
| Un-
changed
| Low
| None
| None
| 5.2.0, 11.5.0-11.7.0
|
|
|---|
| CVE-2020-9488 | Oracle FLEXCUBE Private Banking
| Core (Apache Log4j)
| SMTPS
| Yes
| 3.7
| Network
| High
| None
| None
| Un-
changed
| Low
| None
| None
| 12.0.0, 12.1.0
|
|
|---|
Additional CVEs addressed are:- The patch for CVE-2019-10173 also addresses CVE-2013-7285
- The patch for CVE-2019-10247 also addresses CVE-2019-10246
- The patch for CVE-2020-11022 also addresses CVE-2020-11023
- The patch for CVE-2020-11973 also addresses CVE-2020-11971 and CVE-2020-11972
- The patch for CVE-2020-14195 also addresses CVE-2020-14060, CVE-2020-14061 and CVE-2020-14062
- The
patch for CVE-2020-1941 also addresses CVE-2020-13920
- The patch for CVE-2020-1951 also addresses CVE-2020-1950
- The patch for CVE-2020-5398 also addresses CVE-2020-5397
- The patch for CVE-2020-9546 also addresses CVE-2020-10650, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-9547 and CVE-2020-9548
Oracle Food and Beverage Applications Risk MatrixThis
Critical Patch Update contains 4 new security patches for Oracle Food and Beverage Applications. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
| CVE# | Product | Component | Protocol | Remote
Exploit
without
Auth.? | CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes |
|---|
Base
Score | Attack
Vector | Attack
Complex | Privs
Req'd | User
Interact | Scope | Confid-
entiality | Inte-
grity | Avail-
ability |
|---|
| CVE-2020-11022 | Oracle Hospitality Materials Control
| Mobile Authorization (jQuery)
| HTTP
| Yes
| 6.1
| Network
| Low
| None
| Required
| Changed
| Low
| Low
| None
| 18.1
|
|
|---|
| CVE-2020-11022 | Oracle Hospitality Simphony
| Simphony Apps (jQuery)
| HTTP
| Yes
| 6.1
| Network
| Low
| None
| Required
| Changed
| Low
| Low
| None
| 18.1, 18.2, 19.1.0-19.1.2
|
|
|---|
| CVE-2020-14753 | Oracle Hospitality Reporting and Analytics
| Installation
| None
| No
| 5.9
| Local
| Low
| Low
| Required
| Changed
| High
| None
| None
| 9.1.0
|
|
|---|
| CVE-2020-14783 | Oracle Hospitality RES 3700
| CAL
| TCP
| Yes
| 5.3
| Network
| Low
| None
| None
| Un-
changed
| Low
| None
| None
| 5.7
|
|
|---|
Additional CVEs addressed are:- The patch for CVE-2020-11022 also addresses CVE-2020-11023
Oracle Fusion Middleware Risk MatrixThis Critical Patch Update contains 46 new security patches for Oracle Fusion Middleware. 36 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user
credentials. The English text form of this Risk Matrix can be found here. Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security updates are not listed in the Oracle
Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle recommends that customers apply the Critical Patch Update October 2020 to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update October 2020 Patch Availability Document for Oracle Products,
My Oracle Support Note 2694898.1.
| CVE# | Product | Component | Protocol | Remote
Exploit
without
Auth.? | CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes |
|---|
Base
Score | Attack
Vector | Attack
Complex | Privs
Req'd | User
Interact | Scope | Confid-
entiality | Inte-
grity | Avail-
ability |
|---|
| CVE-2017-5645 | Identity Manager Connector
| General and Misc (Apache Log4j)
| Multiple
| Yes
| 9.8
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| High
| 9.0
|
|
|---|
| CVE-2018-11058 | Oracle Access Manager
| Web Server Plugin (RSA BSafe)
| HTTPS
| Yes
| 9.8
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| High
| 11.1.2.3.0
|
|
|---|
| CVE-2017-9800 | Oracle Data Integrator
| Install, config, upgrade (Apache HTTP Server)
| HTTP
| Yes
| 9.8
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| High
| 12.2.1.3.0
|
|
|---|
| CVE-2020-10683 | Oracle Endeca Information Discovery Integrator
| Integrator ETL (dom4j)
| HTTP
| Yes
| 9.8
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| High
| 3.2.0
|
|
|---|
| CVE-2019-10173 | Oracle Endeca Information Discovery Studio
| Endeca Server (xstream)
| HTTP
| Yes
| 9.8
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| High
| 3.2.0
|
|
|---|
| CVE-2019-2904 | Oracle Enterprise Repository
| Security Subsystem - 12c (Application Development Framework)
| HTTP
| Yes
| 9.8
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| High
| 11.1.1.7.0
|
|
|---|
| CVE-2018-8088 | Oracle GoldenGate Application Adapters
| Application Adapters (SLF4J)
| HTTP
| Yes
| 9.8
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| High
| 12.3.2.1.0
|
|
|---|
| CVE-2019-17531 | Oracle GoldenGate Application Adapters
| Build Request (jackson-databind)
| HTTP
| Yes
| 9.8
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| High
| 19.1.0.0.0
|
|
|---|
| CVE-2018-11058 | Oracle GoldenGate Application Adapters
| Security Service (RSA BSAFE)
| HTTPS
| Yes
| 9.8
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| High
| 12.3.2.1.0
|
|
|---|
| CVE-2019-5482 | Oracle HTTP Server
| Web Listener (cURL)
| TFTP
| Yes
| 9.8
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| High
| 12.2.1.3.0, 12.2.1.4.0
|
|
|---|
| CVE-2020-10683 | Oracle WebCenter Portal
| Portlet Services (dom4j)
| HTTP
| Yes
| 9.8
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| High
| 12.2.1.3.0, 12.2.1.4.0
|
|
|---|
| CVE-2020-2555 | Oracle WebCenter Portal
| Security Framework (Oracle Coherence)
| HTTP
| Yes
| 9.8
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| High
| 12.2.1.3.0, 12.2.1.4.0
|
|
|---|
| CVE-2019-10173 | Oracle WebCenter Portal
| Security Framework (xstream)
| HTTP
| Yes
| 9.8
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| High
| 11.1.1.9.0, 12.2.1.3.0
|
|
|---|
| CVE-2019-17267 | Oracle WebLogic Server
| Centralized Thirdparty Jars (jackson-databind)
| HTTP
| Yes
| 9.8
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| High
| 12.2.1.3.0
|
|
|---|
| CVE-2020-14882 | Oracle WebLogic Server
| Console
| HTTP
| Yes
| 9.8
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| High
| 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
|
|
|---|
| CVE-2020-14841 | Oracle WebLogic Server
| Core
| IIOP
| Yes
| 9.8
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| High
| 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
|
|
|---|
| CVE-2020-14825 | Oracle WebLogic Server
| Core
| IIOP, T3
| Yes
| 9.8
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| High
| 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
|
|
|---|
| CVE-2020-14859 | Oracle WebLogic Server
| Core
| IIOP, T3
| Yes
| 9.8
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| High
| 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
|
|
|---|
| CVE-2020-14879 | BI Publisher
| E-Business Suite - XDO
| HTTP
| No
| 8.5
| Network
| Low
| Low
| None
| Changed
| High
| Low
| None
| 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
|
|
|---|
| CVE-2020-14880 | BI Publisher
| E-Business Suite - XDO
| HTTP
| No
| 8.5
| Network
| Low
| Low
| None
| Changed
| High
| Low
| None
| 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
|
|
|---|
| CVE-2020-14842 | BI Publisher
| BI Publisher Security
| HTTP
| Yes
| 8.2
| Network
| Low
| None
| Required
| Changed
| High
| Low
| None
| 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
|
|
|---|
| CVE-2020-14784 | Oracle BI Publisher
| Mobile Service
| HTTP
| Yes
| 8.2
| Network
| Low
| None
| Required
| Changed
| High
| Low
| None
| 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
|
|
|---|
| CVE-2020-14815 | Oracle Business Intelligence Enterprise Edition
| Analytics Actions
| HTTP
| Yes
| 8.2
| Network
| Low
| None
| Required
| Changed
| High
| Low
| None
| 5.5.0.0.0, 12.2.1.3.0, 12.2.1.4.0
|
|
|---|
| CVE-2016-2510 | Oracle Data Integrator
| Jave APIs (BeanShell)
| HTTP
| Yes
| 8.1
| Network
| High
| None
| None
| Un-
changed
| High
| High
| High
| 11.1.1.9.0, 12.2.1.3.0
|
|
|---|
| CVE-2020-3235 | Management Pack for Oracle GoldenGate
| Monitor (SNMP)
| SNMP
| No
| 7.7
| Network
| Low
| Low
| None
| Changed
| None
| None
| High
| 12.2.1.2.0
|
|
|---|
| CVE-2020-14864 | Oracle Business Intelligence Enterprise Edition
| Installation
| HTTP
| Yes
| 7.5
| Network
| Low
| None
| None
| Un-
changed
| High
| None
| None
| 5.5.0.0.0, 12.2.1.3.0, 12.2.1.4.0
|
|
|---|
| CVE-2020-1967 | Oracle HTTP Server
| SSL Module (OpenSSL)
| HTTPS
| Yes
| 7.5
| Network
| Low
| None
| None
| Un-
changed
| None
| None
| High
| 12.2.1.4.0
|
|
|---|
| CVE-2020-14820 | Oracle WebLogic Server
| Core
| IIOP, T3
| Yes
| 7.5
| Network
| Low
| None
| None
| Un-
changed
| High
| None
| None
| 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
|
|
|---|
| CVE-2019-10097 | Oracle HTTP Server
| Core (Apache HTTP Server)
| HTTP
| No
| 7.2
| Network
| Low
| High
| None
| Un-
changed
| High
| High
| High
| 12.2.1.4.0
|
|
|---|
| CVE-2020-14883 | Oracle WebLogic Server
| Console
| HTTP
| No
| 7.2
| Network
| Low
| High
| None
| Un-
changed
| High
| High
| High
| 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
|
|
|---|
| CVE-2020-14780 | BI Publisher
| BI Publisher Security
| HTTP
| Yes
| 7.1
| Network
| Low
| None
| Required
| Un-
changed
| High
| Low
| None
| 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
|
|
|---|
| CVE-2020-14843 | Oracle Business Intelligence Enterprise Edition
| Analytics Actions
| HTTP
| Yes
| 7.1
| Network
| Low
| None
| Required
| Changed
| Low
| Low
| Low
| 5.5.0.0.0, 12.2.1.3.0, 12.2.1.4.0
|
|
|---|
| CVE-2020-14766 | Oracle Business Intelligence Enterprise Edition
| Analytics Web Administration
| HTTP
| No
| 7.1
| Network
| Low
| Low
| None
| Un-
changed
| High
| Low
| None
| 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
|
|
|---|
| CVE-2020-9484 | Oracle Managed File Transfer
| MFT Runtime Server (Apache Tomcat)
| None
| No
| 7.0
| Local
| High
| Low
| None
| Un-
changed
| High
| High
| High
| 12.2.1.3.0, 12.2.1.4.0
|
|
|---|
| CVE-2020-14757 | Oracle WebLogic Server
| Web Services
| HTTP
| Yes
| 6.8
| Network
| High
| None
| Required
| Un-
changed
| High
| High
| None
| 12.2.1.3.0
|
|
|---|
| CVE-2020-15389 | Oracle Outside In Technology
| Installation (OpenJPEG)
| HTTP
| Yes
| 6.5
| Network
| High
| None
| None
| Un-
changed
| Low
| None
| High
| 8.5.5, 8.5.4
| See Note 1
|
|---|
| CVE-2020-1945 | Oracle Business Process Management Suite
| Runtime Engine (Apache Ant)
| None
| No
| 6.3
| Local
| High
| Low
| None
| Un-
changed
| High
| High
| None
| 12.2.1.3.0, 12.2.1.4.0
|
|
|---|
| CVE-2019-11358 | BI Publisher
| BI Publisher Security (jQuery)
| HTTP
| Yes
| 6.1
| Network
| Low
| None
| Required
| Changed
| Low
| Low
| None
| 5.5.0.0.0, 12.2.1.3.0, 12.2.1.4.0
|
|
|---|
| CVE-2019-11358 | Oracle Business Process Management Suite
| Runtime Engine (jQuery)
| HTTP
| Yes
| 6.1
| Network
| Low
| None
| Required
| Changed
| Low
| Low
| None
| 12.2.1.3.0, 12.2.1.4.0
|
|
|---|
| CVE-2019-2904 | Oracle Business Process Management Suite
| Runtime Engine (Application Development Framework)
| HTTP
| Yes
| 6.1
| Network
| Low
| None
| Required
| Changed
| Low
| Low
| None
| 12.2.1.3.0, 12.2.1.4.0
|
|
|---|
| CVE-2020-11022 | Oracle JDeveloper
| ADF Faces (jQuery)
| HTTP
| Yes
| 6.1
| Network
| Low
| None
| Required
| Changed
| Low
| Low
| None
| 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
|
|
|---|
| CVE-2020-9281 | Oracle WebCenter Portal
| Blogs and Wikis (CKEditor)
| HTTP
| Yes
| 6.1
| Network
| Low
| None
| Required
| Changed
| Low
| Low
| None
| 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
|
|
|---|
| CVE-2020-11022 | Oracle WebLogic Server
| Console (jQuery)
| HTTP
| Yes
| 6.1
| Network
| Low
| None
| Required
| Changed
| Low
| Low
| None
| 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
|
|
|---|
| CVE-2020-1951 | Oracle Business Process Management Suite
| Document Service (Apache Tika)
| None
| No
| 5.5
| Local
| Low
| None
| Required
| Un-
changed
| None
| None
| High
| 12.2.1.3.0, 12.2.1.4.0
|
|
|---|
| CVE-2020-13631 | Oracle Outside In Technology
| Installation (SQLite)
| None
| No
| 5.5
| Local
| Low
| Low
| None
| Un-
changed
| None
| High
| None
| 8.5.5, 8.5.4
| See Note 1
|
|---|
| CVE-2020-9488 | Oracle WebLogic Server
| Core (Apache Log4j)
| SMTPS
| Yes
| 3.7
| Network
| High
| None
| None
| Un-
changed
| Low
| None
| None
| 10.3.6.0.0
|
|
|---|
Notes:- Outside In Technology is a suite of software development kits (SDKs). The protocol and CVSS score depend on the software that uses the Outside In Technology code. The CVSS score assumes that the software passes data received over a network directly to Outside In Technology code, but if data is not received over a network the CVSS score may be lower.
Additional CVEs addressed
are:- The patch for CVE-2017-9800 also addresses CVE-2016-2167, CVE-2016-2168 and CVE-2016-8734
- The patch for CVE-2018-11058 also addresses CVE-2016-0701, CVE-2016-2183, CVE-2016-6306, CVE-2016-8610, CVE-2018-11054, CVE-2018-11055, CVE-2018-11056, CVE-2018-11057 and CVE-2018-15769
- The patch for CVE-2019-17267 also addresses CVE-2019-14540, CVE-2019-16335, CVE-2019-16942 and CVE-2019-16943
- The patch for CVE-2019-17531 also addresses
CVE-2019-16943, CVE-2019-17267 and CVE-2019-20330
- The patch for CVE-2019-5482 also addresses CVE-2019-5435, CVE-2019-5436, CVE-2019-5443 and CVE-2019-5481
- The patch for CVE-2020-11022 also addresses CVE-2020-11023
- The patch for CVE-2020-13631 also addresses CVE-2020-11655, CVE-2020-11656, CVE-2020-13630, CVE-2020-13632, CVE-2020-15358 and CVE-2020-9327
- The patch for CVE-2020-1951 also addresses CVE-2020-1950
Oracle
GraalVM Risk MatrixThis Critical Patch Update contains 1 new security patch for Oracle GraalVM. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
| CVE# | Product | Component | Protocol | Remote
Exploit
without
Auth.? | CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes |
|---|
Base
Score | Attack
Vector | Attack
Complex | Privs
Req'd | User
Interact | Scope | Confid-
entiality | Inte-
grity | Avail-
ability |
|---|
| CVE-2020-14803 | Oracle GraalVM Enterprise Edition
| Java
| Multiple
| Yes
| 5.3
| Network
| Low
| None
| None
| Un-
changed
| Low
| None
| None
| 19.3.3, 20.2.0
|
|
|---|
Oracle Health Sciences Applications Risk MatrixThis Critical Patch Update contains 4 new security patches for Oracle Health Sciences Applications. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found
here.
| CVE# | Product | Component | Protocol | Remote
Exploit
without
Auth.? | CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes |
|---|
Base
Score | Attack
Vector | Attack
Complex | Privs
Req'd | User
Interact | Scope | Confid-
entiality | Inte-
grity | Avail-
ability |
|---|
| CVE-2020-1953 | Oracle Healthcare Foundation
| Self Service Analytics (Apache Commons Configuration)
| HTTP
| Yes
| 10.0
| Network
| Low
| None
| None
| Changed
| High
| High
| High
| 7.1.1, 7.2.0, 7.2.1, 7.3.0
|
|
|---|
| CVE-2020-10683 | Oracle Health Sciences Empirica Signal
| User Interface (dom4j)
| HTTP
| Yes
| 9.8
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| High
| 9.0
|
|
|---|
| CVE-2020-2555 | Oracle Healthcare Data Repository
| Database Module (Oracle Coherence)
| HTTP
| Yes
| 9.8
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| High
| 7.0.1
|
|
|---|
| CVE-2020-11022 | Oracle Healthcare Foundation
| Admin Console (jQuery)
| HTTP
| Yes
| 6.1
| Network
| Low
| None
| Required
| Changed
| Low
| Low
| None
| 7.1.1, 7.2.0, 7.2.1, 7.3.0
|
|
|---|
Additional CVEs addressed are:- The patch for CVE-2020-11022 also addresses CVE-2020-11023
Oracle Hospitality Applications Risk MatrixThis Critical Patch Update contains 6 new security patches for Oracle Hospitality Applications. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring
user credentials. The English text form of this Risk Matrix can be found here.
| CVE# | Product | Component | Protocol | Remote
Exploit
without
Auth.? | CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes |
|---|
Base
Score | Attack
Vector | Attack
Complex | Privs
Req'd | User
Interact | Scope | Confid-
entiality | Inte-
grity | Avail-
ability |
|---|
| CVE-2019-17638 | Oracle Hospitality Guest Access
| Base (Eclipse Jetty)
| HTTP
| Yes
| 9.4
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| Low
| 4.2.0, 4.2.1
|
|
|---|
| CVE-2020-14807 | Oracle Hospitality Suite8
| WebConnect
| HTTP
| Yes
| 7.1
| Network
| Low
| None
| Required
| Un-
changed
| High
| Low
| None
| 8.10.2, 8.11-8.14
|
|
|---|
| CVE-2020-9484 | Oracle Hospitality Guest Access
| Base (Apache Tomcat)
| None
| No
| 7.0
| Local
| High
| Low
| None
| Un-
changed
| High
| High
| High
| 4.2.0, 4.2.1
|
|
|---|
| CVE-2020-14858 | Oracle Hospitality OPERA 5 Property Services
| Logging
| HTTP
| No
| 6.8
| Network
| Low
| High
| Required
| Un-
changed
| High
| High
| High
| 5.5, 5.6
|
|
|---|
| CVE-2020-14877 | Oracle Hospitality OPERA 5 Property Services
| Logging
| HTTP
| No
| 6.5
| Network
| Low
| High
| None
| Un-
changed
| High
| High
| None
| 5.5, 5.6
|
|
|---|
| CVE-2020-14810 | Oracle Hospitality Suite8
| WebConnect
| HTTP
| Yes
| 5.4
| Network
| Low
| None
| Required
| Un-
changed
| Low
| Low
| None
| 8.10.2, 8.11-8.14
|
|
|---|
Additional CVEs addressed are:- The patch for CVE-2019-17638 also addresses CVE-2019-17632
Oracle Hyperion Risk MatrixThis Critical Patch Update contains 9 new security patches for Oracle Hyperion. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The
English text form of this Risk Matrix can be found here.
| CVE# | Product | Component | Protocol | Remote
Exploit
without
Auth.? | CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes |
|---|
Base
Score | Attack
Vector | Attack
Complex | Privs
Req'd | User
Interact | Scope | Confid-
entiality | Inte-
grity | Avail-
ability |
|---|
| CVE-2019-5482 | Hyperion Essbase
| Security and Provisioning (cURL)
| TFTP
| Yes
| 9.8
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| High
| 11.1.2.4
|
|
|---|
| CVE-2020-14854 | Hyperion Infrastructure Technology
| UI and Visualization
| HTTP
| No
| 6.1
| Network
| Low
| High
| Required
| Un-
changed
| High
| High
| None
| 11.1.2.4
|
|
|---|
| CVE-2019-1547 | Hyperion Essbase
| Security and Provisioning (OpenSSL)
| None
| No
| 4.7
| Local
| High
| Low
| None
| Un-
changed
| High
| None
| None
| 11.1.2.4
|
|
|---|
| CVE-2020-14768 | Hyperion Analytic Provider Services
| Smart View Provider
| HTTP
| No
| 4.3
| Adjacent
Network
| High
| Low
| Required
| Un-
changed
| Low
| Low
| Low
| 11.1.2.4
|
|
|---|
| CVE-2020-14767 | Hyperion BI+
| IQR-Foundation service
| Multiple
| No
| 4.2
| Network
| High
| High
| Required
| Un-
changed
| High
| None
| None
| 11.1.2.4
|
|
|---|
| CVE-2020-14752 | Hyperion Lifecycle Management
| Shared Services
| HTTP
| No
| 4.2
| Network
| High
| High
| Required
| Un-
changed
| None
| High
| None
| 11.1.2.4
|
|
|---|
| CVE-2020-14772 | Hyperion Lifecycle Management
| Shared Services
| HTTP
| No
| 4.2
| Network
| High
| High
| Required
| Un-
changed
| None
| High
| None
| 11.1.2.4
|
|
|---|
| CVE-2020-14764 | Hyperion Planning
| Application Development Framework
| HTTP
| No
| 4.2
| Network
| High
| High
| Required
| Un-
changed
| None
| High
| None
| 11.1.2.4
|
|
|---|
| CVE-2020-14770 | Hyperion BI+
| IQR-Foundation service
| Multiple
| No
| 2.0
| Network
| High
| High
| Required
| Un-
changed
| Low
| None
| None
| 11.1.2.4
|
|
|---|
Additional CVEs addressed are:- The patch for CVE-2019-1547 also addresses CVE-2019-1549, CVE-2019-1552 and CVE-2019-1563
- The patch for CVE-2019-5482 also addresses CVE-2019-5481
Oracle Insurance Applications Risk MatrixThis Critical Patch Update contains 6 new security patches for Oracle Insurance Applications. All of these vulnerabilities may be
remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
| CVE# | Product | Component | Protocol | Remote
Exploit
without
Auth.? | CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes |
|---|
Base
Score | Attack
Vector | Attack
Complex | Privs
Req'd | User
Interact | Scope | Confid-
entiality | Inte-
grity | Avail-
ability |
|---|
| CVE-2020-9546 | Oracle Insurance Policy Administration J2EE
| Architecture (jackson-databind)
| HTTP
| Yes
| 9.8
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| High
| 11.0.2.25, 11.1.0.15
|
|
|---|
| CVE-2020-5398 | Oracle Insurance Policy Administration J2EE
| Admin Console (Spring Framework)
| HTTP
| Yes
| 7.5
| Network
| High
| None
| Required
| Un-
changed
| High
| High
| High
| 11.2.2.0
|
|
|---|
| CVE-2020-11022 | Oracle Insurance Insbridge Rating and Underwriting
| Framework Administrator IBFA (jQuery)
| HTTP
| Yes
| 6.1
| Network
| Low
| None
| Required
| Changed
| Low
| Low
| None
| 5.0.0.0 - 5.6.0.0, 5.6.1.0
|
|
|---|
| CVE-2020-9488 | Oracle Insurance Insbridge Rating and Underwriting
| Framework Administrator IBFA (Apache Log4j)
| SMTPS
| Yes
| 3.7
| Network
| High
| None
| None
| Un-
changed
| Low
| None
| None
| 5.0.0.0 - 5.6.0.0, 5.6.1.0
|
|
|---|
| CVE-2020-9488 | Oracle Insurance Policy Administration J2EE
| Architecture (Apache Log4j)
| SMTPS
| Yes
| 3.7
| Network
| High
| None
| None
| Un-
changed
| Low
| None
| None
| 10.2.0.37, 10.2.4.12, 11.0.2.25, 11.1.0.15, 11.2.0.26
|
|
|---|
| CVE-2020-9488 | Oracle Insurance Rules Palette
| Architecture (Apache Log4j)
| SMTPS
| Yes
| 3.7
| Network
| High
| None
| None
| Un-
changed
| Low
| None
| None
| 10.2.0.37, 10.2.4.12, 11.0.2.25, 11.1.0.15, 11.2.0.26
|
|
|---|
Additional CVEs addressed are:- The patch for CVE-2020-11022 also addresses CVE-2019-11358 and CVE-2020-11023
- The patch for CVE-2020-9546 also addresses CVE-2020-10650, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-9547 and CVE-2020-9548
Oracle Java SE Risk MatrixThis Critical Patch
Update contains 8 new security patches for Oracle Java SE. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
| CVE# | Product | Component | Protocol | Remote
Exploit
without
Auth.? | CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes |
|---|
Base
Score | Attack
Vector | Attack
Complex | Privs
Req'd | User
Interact | Scope | Confid-
entiality | Inte-
grity | Avail-
ability |
|---|
| CVE-2020-14803 | Java SE
| Libraries
| Multiple
| Yes
| 5.3
| Network
| Low
| None
| None
| Un-
changed
| Low
| None
| None
| Java SE: 11.0.8, 15
| See Note 1
|
|---|
| CVE-2020-14792 | Java SE, Java SE Embedded
| Hotspot
| Multiple
| Yes
| 4.2
| Network
| High
| None
| Required
| Un-
changed
| Low
| Low
| None
| Java SE: 7u271, 8u261, 11.0.8, 15; Java SE Embedded: 8u261
| See Note 2
|
|---|
| CVE-2020-14781 | Java SE, Java SE Embedded
| JNDI
| Multiple
| Yes
| 3.7
| Network
| High
| None
| None
| Un-
changed
| Low
| None
| None
| Java SE: 7u271, 8u261, 11.0.8, 15; Java SE Embedded: 8u261
| See Note 2
|
|---|
| CVE-2020-14782 | Java SE, Java SE Embedded
| Libraries
| Multiple
| Yes
| 3.7
| Network
| High
| None
| None
| Un-
changed
| None
| Low
| None
| Java SE: 7u271, 8u261, 11.0.8, 15; Java SE Embedded: 8u261
| See Note 2
|
|---|
| CVE-2020-14797 | Java SE, Java SE Embedded
| Libraries
| Multiple
| Yes
| 3.7
| Network
| High
| None
| None
| Un-
changed
| None
| Low
| None
| Java SE: 7u271, 8u261, 11.0.8, 15; Java SE Embedded: 8u261
| See Note 2
|
|---|
| CVE-2020-14779 | Java SE, Java SE Embedded
| Serialization
| Multiple
| Yes
| 3.7
| Network
| High
| None
| None
| Un-
changed
| None
| None
| Low
| Java SE: 7u271, 8u261, 11.0.8, 15; Java SE Embedded: 8u261
| See Note 2
|
|---|
| CVE-2020-14796 | Java SE, Java SE Embedded
| Libraries
| Multiple
| Yes
| 3.1
| Network
| High
| None
| Required
| Un-
changed
| Low
| None
| None
| Java SE: 7u271, 8u261, 11.0.8, 15; Java SE Embedded: 8u261
| See Note 1
|
|---|
| CVE-2020-14798 | Java SE, Java SE Embedded
| Libraries
| Multiple
| Yes
| 3.1
| Network
| High
| None
| Required
| Un-
changed
| None
| Low
| None
| Java SE: 7u271, 8u261, 11.0.8, 15; Java SE Embedded: 8u261
| See Note 1
|
|---|
Notes:- This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an
administrator).
- Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.
Oracle MySQL Risk MatrixThis Critical Patch Update contains 53 new security patches
plus additional third party patches noted below for Oracle MySQL. 4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
| CVE# | Product | Component | Protocol | Remote
Exploit
without
Auth.? | CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes |
|---|
Base
Score | Attack
Vector | Attack
Complex | Privs
Req'd | User
Interact | Scope | Confid-
entiality | Inte-
grity | Avail-
ability |
|---|
| CVE-2020-8174 | MySQL Cluster
| Cluster: JS module (Node.js)
| Multiple
| Yes
| 9.8
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| High
| 7.3.30 and prior, 7.4.29 and prior, 7.5.19 and prior, 7.6.15 and prior, 8.0.21 and prior
|
|
|---|
| CVE-2020-14878 | MySQL Server
| Server: Security: LDAP Auth
| MySQL Protocol
| No
| 8.0
| Adjacent
Network
| Low
| Low
| None
| Un-
changed
| High
| High
| High
| 8.0.21 and prior
|
|
|---|
| CVE-2020-13935 | MySQL Enterprise Monitor
| Monitoring: General (Apache Tomcat)
| HTTPS
| Yes
| 7.5
| Network
| Low
| None
| None
| Un-
changed
| None
| None
| High
| 8.0.21 and prior
|
|
|---|
| CVE-2020-1967 | MySQL Workbench
| Workbench: Security: Encryption (OpenSSL)
| MySQL Workbench
| Yes
| 7.5
| Network
| Low
| None
| None
| Un-
changed
| None
| None
| High
| 8.0.21 and prior
|
|
|---|
| CVE-2020-14828 | MySQL Server
| Server: DML
| MySQL Protocol
| No
| 7.2
| Network
| Low
| High
| None
| Un-
changed
| High
| High
| High
| 8.0.21 and prior
|
|
|---|
| CVE-2020-14775 | MySQL Server
| InnoDB
| MySQL Protocol
| No
| 6.5
| Network
| Low
| Low
| None
| Un-
changed
| None
| None
| High
| 5.7.31 and prior, 8.0.21 and prior
|
|
|---|
| CVE-2020-14765 | MySQL Server
| Server: FTS
| MySQL Protocol
| No
| 6.5
| Network
| Low
| Low
| None
| Un-
changed
| None
| None
| High
| 5.6.49 and prior, 5.7.31 and prior, 8.0.21 and prior
|
|
|---|
| CVE-2020-14769 | MySQL Server
| Server: Optimizer
| MySQL Protocol
| No
| 6.5
| Network
| Low
| Low
| None
| Un-
changed
| None
| None
| High
| 5.6.49 and prior, 5.7.31 and prior, 8.0.21 and prior
|
|
|---|
| CVE-2020-14830 | MySQL Server
| Server: Optimizer
| MySQL Protocol
| No
| 6.5
| Network
| Low
| Low
| None
| Un-
changed
| None
| None
| High
| 8.0.21 and prior
|
|
|---|
| CVE-2020-14836 | MySQL Server
| Server: Optimizer
| MySQL Protocol
| No
| 6.5
| Network
| Low
| Low
| None
| Un-
changed
| None
| None
| High
| 8.0.21 and prior
|
|
|---|
| CVE-2020-14846 | MySQL Server
| Server: Optimizer
| MySQL Protocol
| No
| 6.5
| Network
| Low
| Low
| None
| Un-
changed
| None
| None
| High
| 8.0.21 and prior
|
|
|---|
| CVE-2020-14800 | MySQL Server
| Server: Security: Encryption
| MySQL Protocol
| No
| 6.5
| Network
| Low
| Low
| None
| Un-
changed
| None
| None
| High
| 8.0.21 and prior
|
|
|---|
| CVE-2020-14827 | MySQL Server
| Server: Security: LDAP Auth
| MySQL Protocol
| No
| 6.5
| Network
| Low
| Low
| None
| Un-
changed
| High
| None
| None
| 5.7.31 and prior, 8.0.21 and prior
|
|
|---|
| CVE-2020-14760 | MySQL Server
| Server: Optimizer
| MySQL Protocol
| No
| 5.5
| Network
| Low
| High
| None
| Un-
changed
| None
| Low
| High
| 5.7.31 and prior
|
|
|---|
| CVE-2020-1730 | MySQL Workbench
| MySQL Workbench (libssh)
| MySQL Workbench
| Yes
| 5.3
| Network
| Low
| None
| None
| Un-
changed
| None
| None
| Low
| 8.0.21 and prior
|
|
|---|
| CVE-2020-14776 | MySQL Server
| InnoDB
| MySQL Protocol
| No
| 4.9
| Network
| Low
| High
| None
| Un-
changed
| None
| None
| High
| 5.7.31 and prior, 8.0.21 and prior
|
|
|---|
| CVE-2020-14821 | MySQL Server
| InnoDB
| MySQL Protocol
| No
| 4.9
| Network
| Low
| High
| None
| Un-
changed
| None
| None
| High
| 8.0.21 and prior
|
|
|---|
| CVE-2020-14829 | MySQL Server
| InnoDB
| MySQL Protocol
| No
| 4.9
| Network
| Low
| High
| None
| Un-
changed
| None
| None
| High
| 8.0.21 and prior
|
|
|---|
| CVE-2020-14848 | MySQL Server
| InnoDB
| MySQL Protocol
| No
| 4.9
| Network
| Low
| High
| None
| Un-
changed
| None
| None
| High
| 8.0.21 and prior
|
|
|---|
| CVE-2020-14852 | MySQL Server
| Server: Charsets
| MySQL Protocol
| No
| 4.9
| Network
| Low
| High
| None
| Un-
changed
| None
| None
| High
| 8.0.21 and prior
|
|
|---|
| CVE-2020-14814 | MySQL Server
| Server: DML
| MySQL Protocol
| No
| 4.9
| Network
| Low
| High
| None
| Un-
changed
| None
| None
| High
| 8.0.21 and prior
|
|
|---|
| CVE-2020-14789 | MySQL Server
| Server: FTS
| MySQL Protocol
| No
| 4.9
| Network
| Low
| High
| None
| Un-
changed
| None
| None
| High
| 5.7.31 and prior, 8.0.21 and prior
|
|
|---|
| CVE-2020-14804 | MySQL Server
| Server: FTS
| MySQL Protocol
| No
| 4.9
| Network
| Low
| High
| None
| Un-
changed
| None
| None
| High
| 8.0.21 and prior
|
|
|---|
| CVE-2020-14812 | MySQL Server
| Server: Locking
| MySQL Protocol
| No
| 4.9
| Network
| Low
| High
| None
| Un-
changed
| None
| None
| High
| 5.6.49 and prior, 5.7.31 and prior, 8.0.21 and prior
|
|
|---|
| CVE-2020-14773 | MySQL Server
| Server: Optimizer
| MySQL Protocol
| No
| 4.9
| Network
| Low
| High
| None
| Un-
changed
| None
| None
| High
| 8.0.21 and prior
|
|
|---|
| CVE-2020-14777 | MySQL Server
| Server: Optimizer
| MySQL Protocol
| No
| 4.9
| Network
| Low
| High
| None
| Un-
changed
| None
| None
| High
| 8.0.21 and prior
|
|
|---|
| CVE-2020-14785 | MySQL Server
| Server: Optimizer
| MySQL Protocol
| No
| 4.9
| Network
| Low
| High
| None
| Un-
changed
| None
| None
| High
| 8.0.21 and prior
|
|
|---|
| CVE-2020-14793 | MySQL Server
| Server: Optimizer
| MySQL Protocol
| No
| 4.9
| Network
| Low
| High
| None
| Un-
changed
| None
| None
| High
| 5.6.49 and prior, 5.7.31 and prior, 8.0.21 and prior
|
|
|---|
| CVE-2020-14794 | MySQL Server
| Server: Optimizer
| MySQL Protocol
| No
| 4.9
| Network
| Low
| High
| None
| Un-
changed
| None
| None
| High
| 8.0.21 and prior
|
|
|---|
| CVE-2020-14809 | MySQL Server
| Server: Optimizer
| MySQL Protocol
| No
| 4.9
| Network
| Low
| High
| None
| Un-
changed
| None
| None
| High
| 8.0.21 and prior
|
|
|---|
| CVE-2020-14837 | MySQL Server
| Server: Optimizer
| MySQL Protocol
| No
| 4.9
| Network
| Low
| High
| None
| Un-
changed
| None
| None
| High
| 8.0.21 and prior
|
|
|---|
| CVE-2020-14839 | MySQL Server
| Server: Optimizer
| MySQL Protocol
| No
| 4.9
| Network
| Low
| High
| None
| Un-
changed
| None
| None
| High
| 8.0.21 and prior
|
|
|---|
| CVE-2020-14845 | MySQL Server
| Server: Optimizer
| MySQL Protocol
| No
| 4.9
| Network
| Low
| High
| None
| Un-
changed
| None
| None
| High
| 8.0.21 and prior
|
|
|---|
| CVE-2020-14861 | MySQL Server
| Server: Optimizer
| MySQL Protocol
| No
| 4.9
| Network
| Low
| High
| None
| Un-
changed
| None
| None
| High
| 8.0.21 and prior
|
|
|---|
| CVE-2020-14866 | MySQL Server
| Server: Optimizer
| MySQL Protocol
| No
| 4.9
| Network
| Low
| High
| None
| Un-
changed
| None
| None
| High
| 8.0.21 and prior
|
|
|---|
| CVE-2020-14868 | MySQL Server
| Server: Optimizer
| MySQL Protocol
| No
| 4.9
| Network
| Low
| High
| None
| Un-
changed
| None
| None
| High
| 8.0.21 and prior
|
|
|---|
| CVE-2020-14888 | MySQL Server
| Server: Optimizer
| MySQL Protocol
| No
| 4.9
| Network
| Low
| High
| None
| Un-
changed
| None
| None
| High
| 8.0.21 and prior
|
|
|---|
| CVE-2020-14891 | MySQL Server
| Server: Optimizer
| MySQL Protocol
| No
| 4.9
| Network
| Low
| High
| None
| Un-
changed
| None
| None
| High
| 8.0.21 and prior
|
|
|---|
| CVE-2020-14893 | MySQL Server
| Server: Optimizer
| MySQL Protocol
| No
| 4.9
| Network
| Low
| High
| None
| Un-
changed
| None
| None
| High
| 8.0.21 and prior
|
|
|---|
| CVE-2020-14786 | MySQL Server
| Server: PS
| MySQL Protocol
| No
| 4.9
| Network
| Low
| High
| None
| Un-
changed
| None
| None
| High
| 8.0.21 and prior
|
|
|---|
| CVE-2020-14790 | MySQL Server
| Server: PS
| MySQL Protocol
| No
| 4.9
| Network
| Low
| High
| None
| Un-
changed
| None
| None
| High
| 5.7.31 and prior, 8.0.21 and prior
|
|
|---|
| CVE-2020-14844 | MySQL Server
| Server: PS
| MySQL Protocol
| No
| 4.9
| Network
| Low
| High
| None
| Un-
changed
| None
| None
| High
| 8.0.21 and prior
|
|
|---|
| CVE-2020-14799 | MySQL Server
| Server: Security: Encryption
| MySQL Protocol
| No
| 4.9
| Network
| Low
| High
| None
| Un-
changed
| None
| None
| High
| 8.0.20 and prior
|
|
|---|
| CVE-2020-14869 | MySQL Server
| Server: Security: LDAP Auth
| MySQL Protocol
| No
| 4.9
| Network
| Low
| High
| None
| Un-
changed
| None
| None
| High
| 5.7.31 and prior, 8.0.21 and prior
|
|
|---|
| CVE-2020-14672 | MySQL Server
| Server: Stored Procedure
| MySQL Protocol
| No
| 4.9
| Network
| Low
| High
| None
| Un-
changed
| None
| None
| High
| 5.6.49 and prior, 5.7.31 and prior, 8.0.21 and prior
|
|
|---|
| CVE-2020-14870 | MySQL Server
| Server: X Plugin
| MySQL Protocol
| No
| 4.9
| Network
| Low
| High
| None
| Un-
changed
| None
| None
| High
| 8.0.21 and prior
|
|
|---|
| CVE-2020-14853 | MySQL Cluster
| Cluster: NDBCluster Plugin
| Multiple
| No
| 4.6
| Network
| Low
| Low
| Required
| Un-
changed
| None
| Low
| Low
| 8.0.21 and prior
|
|
|---|
| CVE-2020-14867 | MySQL Server
| Server: DDL
| MySQL Protocol
| No
| 4.4
| Network
| High
| High
| None
| Un-
changed
| None
| None
| High
| 5.6.49 and prior, 5.7.31 and prior, 8.0.21 and prior
|
|
|---|
| CVE-2020-14873 | MySQL Server
| Server: Logging
| MySQL Protocol
| No
| 4.4
| Network
| High
| High
| None
| Un-
changed
| None
| None
| High
| 8.0.21 and prior
|
|
|---|
| CVE-2020-14838 | MySQL Server
| Server: Security: Privileges
| MySQL Protocol
| No
| 4.3
| Network
| Low
| Low
| None
| Un-
changed
| Low
| None
| None
| 8.0.21 and prior
|
|
|---|
| CVE-2020-14860 | MySQL Server
| Server: Security: Roles
| MySQL Protocol
| No
| 2.7
| Network
| Low
| High
| None
| Un-
changed
| None
| Low
| None
| 8.0.21 and prior
|
|
|---|
| CVE-2020-14791 | MySQL Server
| InnoDB
| MySQL Protocol
| No
| 2.2
| Network
| High
| High
| None
| Un-
changed
| None
| None
| Low
| 8.0.21 and prior
|
|
|---|
| CVE-2020-14771 | MySQL Server
| Server: Security: LDAP Auth
| MySQL Protocol
| No
| 2.2
| Network
| High
| High
| None
| Un-
changed
| None
| None
| Low
| 5.7.31 and prior, 8.0.21 and prior
|
|
|---|
Additional CVEs addressed are:- The patch for CVE-2020-13935 also addresses CVE-2020-11996, CVE-2020-13934 and CVE-2020-9484
- The patch for CVE-2020-8174 also addresses CVE-2020-11080 and CVE-2020-8172
Additional patches are included in this Critical Patch Update for the following non-exploitable CVEs in this Oracle product family:- MySQL Cluster
- Cluster: Configuration (dojo): CVE-2020-4051
Oracle PeopleSoft Risk MatrixThis Critical Patch Update contains 15 new security patches for Oracle PeopleSoft. 12 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found
here.
| CVE# | Product | Component | Protocol | Remote
Exploit
without
Auth.? | CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes |
|---|
Base
Score | Attack
Vector | Attack
Complex | Privs
Req'd | User
Interact | Scope | Confid-
entiality | Inte-
grity | Avail-
ability |
|---|
| CVE-2018-11058 | PeopleSoft Enterprise PeopleTools
| Weblogic (RSA BSafe)
| HTTP
| Yes
| 9.8
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| High
| 8.56, 8.57, 8.58
|
|
|---|
| CVE-2020-14865 | PeopleSoft Enterprise SCM eSupplier Connection
| eSupplier Connection
| HTTP
| No
| 8.1
| Network
| Low
| Low
| None
| Un-
changed
| High
| High
| None
| 9.2
|
|
|---|
| CVE-2020-14795 | PeopleSoft Enterprise PeopleTools
| PIA Core Technology
| HTTP
| Yes
| 6.5
| Network
| Low
| None
| Required
| Un-
changed
| High
| None
| None
| 8.57, 8.58
|
|
|---|
| CVE-2020-14778 | PeopleSoft Enterprise HCM Global Payroll Core
| Security
| HTTP
| No
| 6.3
| Network
| Low
| Low
| None
| Un-
changed
| Low
| Low
| Low
| 9.2
|
|
|---|
| CVE-2020-14832 | PeopleSoft Enterprise PeopleTools
| Integration Broker
| HTTP
| Yes
| 6.1
| Network
| Low
| None
| Required
| Changed
| Low
| Low
| None
| 8.56, 8.57, 8.58
|
|
|---|
| CVE-2020-14801 | PeopleSoft Enterprise PeopleTools
| PIA Core Technology
| HTTP
| Yes
| 6.1
| Network
| Low
| None
| Required
| Changed
| Low
| Low
| None
| 8.56, 8.57, 8.58
|
|
|---|
| CVE-2020-14802 | PeopleSoft Enterprise PeopleTools
| PIA Core Technology
| HTTP
| Yes
| 6.1
| Network
| Low
| None
| Required
| Changed
| Low
| Low
| None
| 8.56, 8.57, 8.58
|
|
|---|
| CVE-2020-11022 | PeopleSoft Enterprise PeopleTools
| PIA Core Technology (jQuery)
| HTTP
| Yes
| 6.1
| Network
| Low
| None
| Required
| Changed
| Low
| Low
| None
| 8.56, 8.57, 8.58
|
|
|---|
| CVE-2020-14813 | PeopleSoft Enterprise PeopleTools
| PIA Grids
| HTTP
| Yes
| 6.1
| Network
| Low
| None
| Required
| Changed
| Low
| Low
| None
| 8.56, 8.57, 8.58
|
|
|---|
| CVE-2020-11022 | PeopleSoft Enterprise PeopleTools
| Portal, Charting (jQuery)
| HTTP
| Yes
| 6.1
| Network
| Low
| None
| Required
| Changed
| Low
| Low
| None
| 8.56, 8.57, 8.58
|
|
|---|
| CVE-2020-1954 | PeopleSoft Enterprise PeopleTools
| Elastic Search (Apache CXF)
| HTTP
| Yes
| 5.3
| Adjacent
Network
| High
| None
| None
| Un-
changed
| High
| None
| None
| 8.56
|
|
|---|
| CVE-2020-14806 | PeopleSoft Enterprise PeopleTools
| Query
| HTTP
| Yes
| 5.3
| Network
| Low
| None
| None
| Un-
changed
| Low
| None
| None
| 8.56, 8.57, 8.58
|
|
|---|
| CVE-2020-9488 | PeopleSoft Enterprise PeopleTools
| Tools Admin API (Apache Log4j)
| SMTPS
| Yes
| 3.7
| Network
| High
| None
| None
| Un-
changed
| Low
| None
| None
| 8.56, 8.57, 8.58
|
|
|---|
| CVE-2020-9488 | PeopleSoft Enterprise PeopleTools
| Updates Environment Mgmt (Apache Log4j)
| SMTPS
| Yes
| 3.7
| Network
| High
| None
| None
| Un-
changed
| Low
| None
| None
| 8.56, 8.57, 8.58
|
|
|---|
| CVE-2020-14847 | PeopleSoft Enterprise PeopleTools
| Query
| HTTP
| No
| 2.7
| Network
| Low
| High
| None
| Un-
changed
| Low
| None
| None
| 8.56, 8.57, 8.58
|
|
|---|
Additional CVEs addressed are:- The patch for CVE-2020-11022 also addresses CVE-2020-11023
Oracle Policy Automation Risk MatrixThis Critical Patch Update contains 6 new security patches for Oracle Policy Automation. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user
credentials. The English text form of this Risk Matrix can be found here.
| CVE# | Product | Component | Protocol | Remote
Exploit
without
Auth.? | CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes |
|---|
Base
Score | Attack
Vector | Attack
Complex | Privs
Req'd | User
Interact | Scope | Confid-
entiality | Inte-
grity | Avail-
ability |
|---|
| CVE-2020-11022 | Oracle Policy Automation
| Core (jQuery)
| HTTP
| Yes
| 6.1
| Network
| Low
| None
| Required
| Changed
| Low
| Low
| None
| 12.2.0 - 12.2.20
|
|
|---|
| CVE-2020-11022 | Oracle Policy Automation Connector for Siebel
| Core (jQuery)
| HTTP
| Yes
| 6.1
| Network
| Low
| None
| Required
| Changed
| Low
| Low
| None
| 10.4.6
|
|
|---|
| CVE-2020-11022 | Oracle Policy Automation for Mobile Devices
| Core (jQuery)
| HTTP
| Yes
| 6.1
| Network
| Low
| None
| Required
| Changed
| Low
| Low
| None
| 12.2.0 - 12.2.20
|
|
|---|
| CVE-2020-9488 | Oracle Policy Automation
| Core (Apache Log4j)
| HTTP
| Yes
| 3.7
| Network
| High
| None
| None
| Un-
changed
| Low
| None
| None
| 12.2.0 - 12.2.20
|
|
|---|
| CVE-2020-9488 | Oracle Policy Automation Connector for Siebel
| Core (Apache Log4j)
| HTTP
| Yes
| 3.7
| Network
| High
| None
| None
| Un-
changed
| Low
| None
| None
| 10.4.6
|
|
|---|
| CVE-2020-9488 | Oracle Policy Automation for Mobile Devices
| Core (Apache Log4j)
| HTTP
| Yes
| 3.7
| Network
| High
| None
| None
| Un-
changed
| Low
| None
| None
| 12.2.0 - 12.2.20
|
|
|---|
Additional CVEs addressed are:- The patch for CVE-2020-11022 also addresses CVE-2020-11023
Oracle Retail Applications Risk MatrixThis Critical Patch Update contains 28 new security patches for Oracle Retail Applications. 25 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user
credentials. The English text form of this Risk Matrix can be found here.
| CVE# | Product | Component | Protocol | Remote
Exploit
without
Auth.? | CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes |
|---|
Base
Score | Attack
Vector | Attack
Complex | Privs
Req'd | User
Interact | Scope | Confid-
entiality | Inte-
grity | Avail-
ability |
|---|
| CVE-2020-10683 | Oracle Retail Order Broker
| System Administration (dom4j)
| HTTP
| Yes
| 9.8
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| High
| 15.0, 16.0, 18.0, 19.0, 19.1
|
|
|---|
| CVE-2020-10683 | Oracle Retail Price Management
| Security (dom4j)
| HTTP
| Yes
| 9.8
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| High
| 14.0.4, 14.1.3.0, 15.0.3.0, 16.0.3.0
|
|
|---|
| CVE-2020-9546 | Oracle Retail Service Backbone
| RSB kernel (jackson-databind)
| HTTP
| Yes
| 9.8
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| High
| 14.1, 15.0, 16.0
|
|
|---|
| CVE-2020-1945 | Oracle Retail Back Office
| Security (Apache Ant)
| HTTP
| Yes
| 9.1
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| None
| 14.0, 14.1
|
|
|---|
| CVE-2020-1945 | Oracle Retail Central Office
| Security (Apache Ant)
| HTTP
| Yes
| 9.1
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| None
| 14.0, 14.1
|
|
|---|
| CVE-2020-1945 | Oracle Retail Integration Bus
| RIB Kernal (Apache Ant)
| HTTP
| Yes
| 9.1
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| None
| 14.1, 15.0, 16.0
|
|
|---|
| CVE-2020-1945 | Oracle Retail Point-of-Service
| Security (Apache Ant)
| HTTP
| Yes
| 9.1
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| None
| 14.0, 14.1
|
|
|---|
| CVE-2020-1945 | Oracle Retail Returns Management
| Security (Apache Ant)
| HTTP
| Yes
| 9.1
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| None
| 14.0, 14.1
|
|
|---|
| CVE-2020-9410 | Oracle Retail Order Broker
| Order Broker Foundation (jasperreports_server)
| HTTP
| Yes
| 8.8
| Network
| Low
| None
| Required
| Un-
changed
| High
| High
| High
| 15.0, 16.0
|
|
|---|
| CVE-2019-3740 | Oracle Retail Assortment Planning
| Application Core (RSA BSAFE Crypto-J)
| HTTP
| Yes
| 6.5
| Network
| Low
| None
| Required
| Un-
changed
| High
| None
| None
| 15.0.3.0, 16.0.3.0
|
|
|---|
| CVE-2019-3740 | Oracle Retail Integration Bus
| RIB Kernal (RSA BSAFE Crypto-J)
| HTTP
| Yes
| 6.5
| Network
| Low
| None
| Required
| Un-
changed
| High
| None
| None
| 14.1, 15.0, 16.0
|
|
|---|
| CVE-2019-3740 | Oracle Retail Predictive Application Server
| RPAS Server (RSA BSAFE Crypto-J)
| HTTP
| Yes
| 6.5
| Network
| Low
| None
| Required
| Un-
changed
| High
| None
| None
| 14.1.3.0, 15.0.3.0, 16.0.3.0
|
|
|---|
| CVE-2019-3740 | Oracle Retail Service Backbone
| RSB kernel (RSA BSAFE Crypto-J)
| HTTP
| Yes
| 6.5
| Network
| Low
| None
| Required
| Un-
changed
| High
| None
| None
| 14.1, 15.0, 16.0
|
|
|---|
| CVE-2019-3740 | Oracle Retail Xstore Point of Service
| Xenvironment (RSA BSAFE Crypto-J)
| HTTP
| Yes
| 6.5
| Network
| Low
| None
| Required
| Un-
changed
| High
| None
| None
| 15.0.3, 16.0.5, 17.0.3, 18.0.2, 19.0.1
|
|
|---|
| CVE-2020-11022 | Oracle Retail Back Office
| Security (jQuery)
| HTTP
| Yes
| 6.1
| Network
| Low
| None
| Required
| Changed
| Low
| Low
| None
| 14.0, 14.1
|
|
|---|
| CVE-2020-11022 | Oracle Retail Central Office
| Security (jQuery)
| HTTP
| Yes
| 6.1
| Network
| Low
| None
| Required
| Changed
| Low
| Low
| None
| 14.0, 14.1
|
|
|---|
| CVE-2020-11022 | Oracle Retail Customer Management and Segmentation Foundation
| Segments (jQuery)
| HTTP
| Yes
| 6.1
| Network
| Low
| None
| Required
| Changed
| Low
| Low
| None
| 19.0
|
|
|---|
| CVE-2019-11358 | Oracle Retail Point-of-Service
| Mobile POS (jQuery)
| HTTP
| Yes
| 6.1
| Network
| Low
| None
| Required
| Changed
| Low
| Low
| None
| 14.0, 14.1
|
|
|---|
| CVE-2020-11022 | Oracle Retail Returns Management
| Security (jQuery)
| HTTP
| Yes
| 6.1
| Network
| Low
| None
| Required
| Changed
| Low
| Low
| None
| 14.0, 14.1
|
|
|---|
| CVE-2019-12415 | Oracle Retail Order Broker
| Store Connect (Apache POI)
| none
| No
| 5.5
| Local
| Low
| Low
| None
| Un-
changed
| High
| None
| None
| 15.0, 16.0
|
|
|---|
| CVE-2020-9488 | Oracle Retail Advanced Inventory Planning
| AIP Dashboard (Apache Log4j)
| HTTP
| Yes
| 3.7
| Network
| High
| None
| None
| Un-
changed
| Low
| None
| None
| 14.1
|
|
|---|
| CVE-2020-9488 | Oracle Retail Assortment Planning
| Application Core (Apache Log4j)
| HTTP
| Yes
| 3.7
| Network
| High
| None
| None
| Un-
changed
| Low
| None
| None
| 15.0.3.0, 16.0.3.0
|
|
|---|
| CVE-2020-9488 | Oracle Retail Bulk Data Integration
| BDI Job Scheduler (Apache Log4j)
| HTTP
| Yes
| 3.7
| Network
| High
| None
| None
| Un-
changed
| Low
| None
| None
| 15.0.3.0, 16.0.3.0
|
|
|---|
| CVE-2020-9488 | Oracle Retail Integration Bus
| RIB Kernal (Apache Log4j)
| HTTP
| Yes
| 3.7
| Network
| High
| None
| None
| Un-
changed
| Low
| None
| None
| 14.1, 15.0, 16.0
|
|
|---|
| CVE-2020-9488 | Oracle Retail Order Broker
| Store Connect (Apache Log4j)
| HTTP
| Yes
| 3.7
| Network
| High
| None
| None
| Un-
changed
| Low
| None
| None
| 16.0, 18.0, 19.0, 19.1, 19.2, 19.3
|
|
|---|
| CVE-2020-9488 | Oracle Retail Predictive Application Server
| RPAS Fusion Client (Apache Log4j)
| HTTP
| Yes
| 3.7
| Network
| High
| None
| None
| Un-
changed
| Low
| None
| None
| 14.1.3.0, 15.0.3.0, 16.0.3.0
|
|
|---|
| CVE-2020-14732 | Oracle Retail Customer Management and Segmentation Foundation
| Promotions
| HTTP
| No
| 3.1
| Network
| High
| Low
| None
| Un-
changed
| Low
| None
| None
| 19.0
|
|
|---|
| CVE-2020-14731 | Oracle Retail Customer Management and Segmentation Foundation
| Segment
| HTTP
| No
| 3.1
| Network
| High
| Low
| None
| Un-
changed
| Low
| None
| None
| 18.0, 19.0
|
|
|---|
Additional CVEs addressed are:- The patch for CVE-2019-3740 also addresses CVE-2019-3738 and CVE-2019-3739
- The patch for CVE-2020-11022 also addresses CVE-2020-11023
- The patch for CVE-2020-1945 also addresses CVE-2017-5645
- The patch for CVE-2020-9410 also addresses CVE-2020-9409
- The patch for CVE-2020-9546 also addresses CVE-2020-10650, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968,
CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-9547 and CVE-2020-9548
Oracle Siebel CRM Risk MatrixThis Critical Patch Update contains 3 new security patches for Oracle Siebel CRM. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
| CVE# | Product | Component | Protocol | Remote
Exploit
without
Auth.? | CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes |
|---|
Base
Score | Attack
Vector | Attack
Complex | Privs
Req'd | User
Interact | Scope | Confid-
entiality | Inte-
grity | Avail-
ability |
|---|
| CVE-2016-1000031 | Siebel Apps - Marketing
| Mktg/Email Mktg Stand-Alone (Apache Commons File Upload)
| HTTP
| Yes
| 9.8
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| High
| 20.7
|
|
|---|
| CVE-2019-10072 | Siebel Apps - Marketing
| Mktg/Campaign Mgmt (Apache Tomcat)
| HTTP
| Yes
| 7.5
| Network
| Low
| None
| None
| Un-
changed
| None
| None
| High
| 20.7
|
|
|---|
| CVE-2020-11022 | Siebel UI Framework
| UIF Open UI (jQuery)
| HTTP
| Yes
| 6.1
| Network
| Low
| None
| Required
| Changed
| Low
| Low
| None
| 20.8
|
|
|---|
Additional CVEs addressed are:- The patch for CVE-2020-11022 also addresses CVE-2020-11023
Oracle Supply Chain Risk MatrixThis Critical Patch Update contains 4 new security patches for Oracle Supply Chain. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.
The English text form of this Risk Matrix can be found here.
| CVE# | Product | Component | Protocol | Remote
Exploit
without
Auth.? | CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes |
|---|
Base
Score | Attack
Vector | Attack
Complex | Privs
Req'd | User
Interact | Scope | Confid-
entiality | Inte-
grity | Avail-
ability |
|---|
| CVE-2020-1938 | Oracle Agile PLM
| Folders, Files & Attachments (Apache Tomcat)
| AJP
| Yes
| 9.8
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| High
| 9.3.3, 9.3.5, 9.3.6
|
|
|---|
| CVE-2020-10683 | Oracle Agile PLM
| Security (dom4j)
| HTTP
| Yes
| 9.8
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| High
| 9.3.3, 9.3.5
|
|
|---|
| CVE-2020-9484 | Oracle Transportation Management
| Install (Apache Tomcat)
| AJP
| No
| 7.0
| Local
| High
| Low
| None
| Un-
changed
| High
| High
| High
| 6.3.7
|
|
|---|
| CVE-2020-11022 | Oracle Agile Product Lifecycle Management for Process
| Supplier Portal (jQuery)
| HTTP
| Yes
| 6.1
| Network
| Low
| None
| Required
| Changed
| Low
| Low
| None
| 6.2.0.0
|
|
|---|
Additional CVEs addressed are:- The patch for CVE-2020-11022 also addresses CVE-2020-11023
- The patch for CVE-2020-1938 also addresses CVE-2019-17569, CVE-2020-13934, CVE-2020-13935, CVE-2020-1935 and CVE-2020-9484
Oracle Systems Risk MatrixThis Critical Patch Update contains 8 new security patches for Oracle Systems. 3 of these vulnerabilities may be
remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
| CVE# | Product | Component | Protocol | Remote
Exploit
without
Auth.? | CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes |
|---|
Base
Score | Attack
Vector | Attack
Complex | Privs
Req'd | User
Interact | Scope | Confid-
entiality | Inte-
grity | Avail-
ability |
|---|
| CVE-2020-14871 | Oracle Solaris
| Pluggable authentication module
| Multiple
| Yes
| 10.0
| Network
| Low
| None
| None
| Changed
| High
| High
| High
| 10, 11
| See Note 1
|
|---|
| CVE-2020-14871 | Oracle ZFS Storage Appliance Kit
| Operating System Image
| Multiple
| Yes
| 10.0
| Network
| Low
| None
| None
| Changed
| High
| High
| High
| 8.8
| See Note 1
|
|---|
| CVE-2019-11477 | Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers
| XCP Firmware (Linux Kernel)
| TCP
| Yes
| 7.5
| Network
| Low
| None
| None
| Un-
changed
| None
| None
| High
| Prior to XCP2362, prior to XCP3090
|
|
|---|
| CVE-2018-3693 | Fujitsu M12-1, M12-2, M12-2S Servers
| XCP Firmware (Kernel)
| None
| No
| 5.6
| Local
| High
| Low
| None
| Changed
| High
| None
| None
| Prior to XCP3090
|
|
|---|
| CVE-2020-14758 | Oracle Solaris
| Kernel
| None
| No
| 5.6
| Local
| Low
| Low
| Required
| Un-
changed
| High
| None
| Low
| 11
|
|
|---|
| CVE-2020-14754 | Oracle Solaris
| Filesystem
| None
| No
| 5.5
| Local
| Low
| Low
| None
| Un-
changed
| None
| None
| High
| 11
|
|
|---|
| CVE-2020-14818 | Oracle Solaris
| Utility
| SSH
| No
| 3.0
| Network
| High
| Low
| Required
| Changed
| None
| Low
| None
| 11
|
|
|---|
| CVE-2020-14759 | Oracle Solaris
| Kernel
| None
| No
| 2.5
| Local
| High
| Low
| Required
| Changed
| None
| Low
| None
| 11
|
|
|---|
Notes:- This CVE is not exploitable for Solaris 11.1 and later releases, and ZFSSA 8.7 and later releases, thus the CVSS Base Score is 0.0.
Additional CVEs addressed are:- The patch for CVE-2019-11477 also addresses CVE-2019-11478 and CVE-2019-11479
- The patch for CVE-2020-14871 for Oracle ZFS Storage Appliance Kit also addresses CVE-2019-18348,
CVE-2020-3909, CVE-2020-10108, CVE-2020-12243, CVE-2020-13630, CVE-2020-14758 and CVE-2020-14759
Oracle Utilities Applications Risk MatrixThis Critical Patch Update contains 5 new security patches for Oracle Utilities Applications. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be
found here.
| CVE# | Product | Component | Protocol | Remote
Exploit
without
Auth.? | CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes |
|---|
Base
Score | Attack
Vector | Attack
Complex | Privs
Req'd | User
Interact | Scope | Confid-
entiality | Inte-
grity | Avail-
ability |
|---|
| CVE-2019-10173 | Oracle Utilities Framework
| Common (xstream)
| HTTP
| Yes
| 9.8
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| High
| 2.2.0.0.0, 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0 - 4.3.0.6.0, 4.4.0.0.0
|
|
|---|
| CVE-2020-10683 | Oracle Utilities Framework
| General (dom4j)
| HTTP
| Yes
| 9.8
| Network
| Low
| None
| None
| Un-
changed
| High
| High
| High
| 2.2.0.0.0, 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0 - 4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0
|
|
|---|
| CVE-2020-1945 | Oracle Utilities Framework
| General (Apache Ant)
| None
| No
| 6.3
| Local
| High
| Low
| None
| Un-
changed
| High
| High
| None
| 2.2.0.0.0, 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0 - 4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0
|
|
|---|
| CVE-2020-14895 | Oracle Utilities Framework
| System Wide
| HTTP
| No
| 5.4
| Network
| Low
| Low
| None
| Un-
changed
| Low
| Low
| None
| 2.2.0.0.0, 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0 - 4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0
|
|
|---|
| CVE-2020-9488 | Oracle Utilities Framework
| Common (Apache Log4j)
| HTTP
| Yes
| 3.7
| Network
| High
| None
| None
| Un-
changed
| Low
| None
| None
| 2.2.0.0.0, 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0 - 4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0
|
|
|---|
Additional CVEs addressed are:- The patch for CVE-2020-1945 also addresses CVE-2017-5645
Oracle Virtualization Risk MatrixThis Critical Patch Update contains 7 new security patches for Oracle Virtualization. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without requiring user
credentials. The English text form of this Risk Matrix can be found here.
| CVE# | Product | Component | Protocol | Remote
Exploit
without
Auth.? | CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes |
|---|
Base
Score | Attack
Vector | Attack
Complex | Privs
Req'd | User
Interact | Scope | Confid-
entiality | Inte-
grity | Avail-
ability |
|---|
| CVE-2020-14872 | Oracle VM VirtualBox
| Core
| None
| No
| 8.2
| Local
| Low
| High
| None
| Changed
| High
| High
| High
| Prior to 6.1.16
|
|
|---|
| CVE-2020-14881 | Oracle VM VirtualBox
| Core
| None
| No
| 6.0
| Local
| Low
| High
| None
| Changed
| High
| None
| None
| Prior to 6.1.16
|
|
|---|
| CVE-2020-14884 | Oracle VM VirtualBox
| Core
| None
| No
| 6.0
| Local
| Low
| High
| None
| Changed
| High
| None
| None
| Prior to 6.1.16
|
|
|---|
| CVE-2020-14885 | Oracle VM VirtualBox
| Core
| None
| No
| 6.0
| Local
| Low
| High
| None
| Changed
| High
| None
| None
| Prior to 6.1.16
|
|
|---|
| CVE-2020-14886 | Oracle VM VirtualBox
| Core
| None
| No
| 6.0
| Local
| Low
| High
| None
| Changed
| High
| None
| None
| Prior to 6.1.16
|
|
|---|
| CVE-2020-14889 | Oracle VM VirtualBox
| Core
| None
| No
| 6.0
| Local
| Low
| High
| None
| Changed
| High
| None
| None
| Prior to 6.1.16
|
|
|---|
| CVE-2020-14892 | Oracle VM VirtualBox
| Core
| None
| No
| 5.5
| Local
| Low
| Low
| None
| Un-
changed
| None
| None
| High
| Prior to 6.1.16
|
|
|---|
Why Oracle - Analyst Reports
- Best cloud-based ERP
- Cloud Economics
- Corporate Responsibility
- Diversity and Inclusion
- Security Practices
Learn - What is cloud computing?
- What is CRM?
- What is Docker?
- What is Kubernetes?
- What is Python?
- What is SaaS?
What’s New - News
- Oracle CloudWorld
- Oracle Supports Ukraine
- Oracle Red Bull Racing
- Oracle Sustainability
- Employee Experience Platform
- © 2022 Oracle
- Privacy/Do Not Sell My Info
- Ad Choices
- Careers
- Facebook
- Twitter
- LinkedIn
- YouTube
|
