Source

Oracle Critical Patch Update Advisory - July 2016

Description

A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:

Critical Patch Updates and Security Alerts for information about Oracle Security Advisories.

Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay.

This Critical Patch Update contains 276 new security fixes across the product families listed below. Please note that a blog entry summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at https://blogs.oracle.com/security.

Please note that the vulnerabilities in this Critical Patch Update are scored using versions 3.0 of Common Vulnerability Scoring Standard (CVSS).

This Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available here.

Affected Products and Components

Security vulnerabilities addressed by this Critical Patch Update affect the products listed in the categories below. The product area of the patches for the listed versions is shown in the Patch Availability column corresponding to the specified Products and Versions column. Please click on the link in the Patch Availability column below to access the documentation for those patches.

The list of affected product releases and versions that are in Premier Support or Extended Support, under the Oracle Lifetime Support Policy is as follows:

Patch Availability

For each administered Oracle product, consult the documentation for patch availability information and installation instructions referenced from the following table. For an overview of the Oracle product documentation related to this Critical Patch Update, please refer to the Oracle Critical Patch Update July 2016 Documentation Map, My Oracle Support Note.

Affected Products and Versions	Patch Availability
Application Express, version(s) prior to 5.0.4	Database
Oracle Database Server, version(s) 11.2.0.4, 12.1.0.1, 12.1.0.2	Database
Oracle Access Manager, version(s) 10.1.4.x, 11.1.1.7	Fusion Middleware
Oracle BI Publisher, version(s) 11.1.1.7.0, 11.1.1.9.0, 12.2.1.0.0	Fusion Middleware
Oracle Business Intelligence Enterprise Edition, version(s) 11.1.1.7.0, 11.1.1.9.0, 11.2.1.0.0	Fusion Middleware
Oracle Directory Server Enterprise Edition, version(s) 7.0, 11.1.1.7.0	Fusion Middleware
Oracle Exalogic Infrastructure, version(s) 1.x, 2.x	Fusion Middleware
Oracle Fusion Middleware, version(s) 11.1.1.7, 11.1.1.8, 11.1.1.9, 11.1.2.2, 11.1.2.3, 12.1.3.0, 12.2.1.0	Fusion Middleware
Oracle GlassFish Server, version(s) 2.1.1, 3.0.1, 3.1.2	Fusion Middleware
Oracle HTTP Server, version(s) 11.1.1.9, 12.1.3.0	Fusion Middleware
Oracle JDeveloper, version(s) 11.1.1.7.0, 11.1.1.9.0, 11.1.2.4.0, 12.1.3.0.0, 12.2.1.0.0	Fusion Middleware
Oracle Portal, version(s) 11.1.1.6	Fusion Middleware
Oracle TopLink, version(s) 12.1.3.0, 12.2.1.0, 12.2.1.1	Fusion Middleware
Oracle WebCenter Sites, version(s) 11.1.1.8, 12.2.1.0	Fusion Middleware
Oracle WebLogic Server, version(s) 10.3.6.0, 12.1.3.0, 12.2.1.0	Fusion Middleware
Outside In Technology, version(s) 8.5.0, 8.5.1, 8.5.2	Fusion Middleware
Hyperion Financial Reporting, version(s) 11.1.2.4	Fusion Middleware
Enterprise Manager Base Platform, version(s) 12.1.0.5, 13.1.0.0	Enterprise Manager
Enterprise Manager for Fusion Middleware, version(s) 11.1.1.7, 11.1.1.9	Enterprise Manager
Enterprise Manager Ops Center, version(s) 12.1.4, 12.2.2, 12.3.2	Enterprise Manager
Oracle E-Business Suite, version(s) 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5	E-Business Suite
Oracle Agile Engineering Data Management, version(s) 6.1.3.0, 6.2.0.0	Oracle Supply Chain Products
Oracle Agile PLM, version(s) 9.3.4, 9.3.5	Oracle Supply Chain Products
Oracle Demand Planning, version(s) 12.1, 12.2	Oracle Supply Chain Products
Oracle Transportation Management, version(s) 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.4.0, 6.4.1	Oracle Supply Chain Products
PeopleSoft Enterprise FSCM, version(s) 9.1, 9.2	PeopleSoft
PeopleSoft Enterprise PeopleTools, version(s) 8.53, 8.54, 8.55	PeopleSoft
JD Edwards EnterpriseOne Tools, version(s) 9.2.0.5	JD Edwards
Oracle Knowledge, version(s) 8.5.x	Oracle Knowledge
Siebel Applications, version(s) 8.1.1, 8.2.2, IP2014, IP2015, IP2016	Siebel
Oracle Fusion Applications, version(s) 11.1.2 through 11.1.10	Fusion Applications
Oracle Communications ASAP, version(s) 7.0, 7.2, 7.3	Oracle Communications ASAP
Oracle Communications Core Session Manager, version(s) 7.2.5, 7.3.5	Oracle Communications Core Session Manager
Oracle Communications EAGLE Application Processor, version(s) 16.0	Oracle Communications EAGLE Application Processor
Oracle Communications Messaging Server, version(s) 6.3, 7.0, 8.0, Prior to 7.0.5.37.0 and 8.0.1.1.0	Oracle Communications Messaging Server
Oracle Communications Network Charging and Control, version(s) 4.4.1.5.0, 5.0.0.1.0, 5.0.0.2.0, 5.0.1.0.0, 5.0.2.0.0	Oracle Communications Network Charging and Control
Oracle Communications Operations Monitor, version(s) prior to 3.3.92.0.0	Oracle Communications Operations Monitor
Oracle Communications Policy Management, version(s) prior to 9.9.2	Oracle Communications Policy Management
Oracle Communications Session Border Controller, version(s) 7.2.0, 7.3.0	Oracle Communications Session Border Controller
Oracle Communications Unified Session Manager, version(s) 7.2.5, 7.3.5	Oracle Communications Unified Session Manager
Oracle Enterprise Communications Broker, version(s) Prior to PCz 2.0.0m4p1	Oracle Enterprise Communications Broker
Oracle Banking Platform, version(s) 2.3.0, 2.4.0, 2.4.1, 2.5.0	Oracle Banking Platform
Oracle Financial Services Lending and Leasing, version(s) 14.1, 14.2	Oracle Financial Services Applications
Oracle FLEXCUBE Direct Banking, version(s) 12.0.1, 12.0.2, 12.0.3	Oracle Financial Services Applications
Oracle Health Sciences Clinical Development Center, version(s) 3.1.1.x, 3.1.2.x	Health Sciences
Oracle Health Sciences Information Manager, version(s) 1.2.8.3, 2.0.2.3, 3.0.1.0	Health Sciences
Oracle Healthcare Analytics Data Integration, version(s) 3.1.0.0.0	Health Sciences
Oracle Healthcare Master Person Index, version(s) 2.0.12, 3.0.0, 4.0.1	Health Sciences
Oracle Documaker, version(s) prior to 12.5	Oracle Insurance Applications
Oracle Insurance Calculation Engine, version(s) 9.7.1, 10.1.2, 10.2.2	Oracle Insurance Applications
Oracle Insurance Policy Administration J2EE, version(s) 9.6.1, 9.7.1, 10.0.1, 10.1.2, 10.2.0, 10.2.2	Oracle Insurance Applications
Oracle Insurance Rules Palette, version(s) 9.6.1, 9.7.1, 10.0.1, 10.1.2, 10.2.0, 10.2.2	Oracle Insurance Applications
MICROS Retail XBRi Loss Prevention, version(s) 10.0.1, 10.5.0, 10.6.0, 10.7.0, 10.8.0, 10.8.1	Retail XBRi
Oracle Retail Central, Back Office, Returns Management, version(s) 13.1, 13.2, 13.3, 13.4, 14.0, 14.1, 12.0 13.0	Retail Point-of-Service
Oracle Retail Integration Bus, version(s) 13.0, 13.1, 13.2, 14.0, 14.1, 15.0	Retail Integration Bus
Oracle Retail Order Broker, version(s) 4.1, 5.1, 5.2, 15.0	Retail Order Broker
Oracle Retail Service Backbone, version(s) 13.0, 13.1, 13.2, 14.0, 14.1, 15.0	Retail Service Backbone
Oracle Retail Store Inventory Management, version(s) 12.0, 13.0, 13.1, 13.2, 14.0, 14.1	Retail Store Inventory Management
Oracle Utilities Framework, version(s) 2.2.0.0.0, 4.1.0.1.0, 4.1.0.2.0, 4.2.0.1.0, 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0, 4.3.0.2.0	Oracle Utilities Applications
Oracle Utilities Network Management System, version(s) 1.10.0.6.27, 1.11.0.4.41, 1.11.0.5.4, 1.12.0.1.16, 1.12.0.2.12. 1.12.0.3.5	Oracle Utilities Applications
Oracle Utilities Work and Asset Management, version(s) 1.9.1.2.8	Oracle Utilities Applications
Oracle In-Memory Policy Analytics, version(s) 12.0.1	Oracle Policy Automation
Oracle Policy Automation, version(s) 10.3.0, 10.3.1, 10.4.0, 10.4.1, 10.4.2, 10.4.3, 10.4.4, 10.4.5, 10.4.6, 12.1.0, 12.1.1	Oracle Policy Automation
Oracle Policy Automation Connector for Siebel, version(s) 10.3.0, 10.4.0, 10.4.1, 10.4.2, 10.4.3, 10.4.4, 10.4.5, 10.4.6	Oracle Policy Automation
Oracle Policy Automation for Mobile Devices, version(s) 12.1.1	Oracle Policy Automation
Primavera Contract Management, version(s) 14.2	Oracle Primavera Products Suite
Primavera P6 Enterprise Project Portfolio Management, version(s) 8.2, 8.3, 8.4, 15.1, 15.2, 16.1	Oracle Primavera Products Suite
Oracle Java SE, version(s) 6u115, 7u101, 8u92	Oracle Java SE
Oracle Java SE Embedded, version(s) 8u91	Oracle Java SE
Oracle JRockit, version(s) R28.3.10	Oracle Java SE
40G 10G 72/64 Ethernet Switch, version(s) 2.0.0	Oracle and Sun Systems Products Suite
Fujitsu M10-1, M10-4, M10-4S Servers, version(s) prior to XCP 2320	Oracle and Sun Systems Products Suite
ILOM, version(s) 3.0, 3.1, 3.2	Oracle and Sun Systems Products Suite
Oracle Switch ES1-24, version(s) 1.3	Oracle and Sun Systems Products Suite
Solaris, version(s) 10, 11.3	Oracle and Sun Systems Products Suite
Solaris Cluster, version(s) 3.3, 4.3	Oracle and Sun Systems Products Suite
SPARC Enterprise M3000, M4000, M5000, M8000, M9000 Servers, version(s) prior to XCP 1121	Oracle and Sun Systems Products Suite
Sun Blade 6000 Ethernet Switched NEM 24P 10GE, version(s) 1.2	Oracle and Sun Systems Products Suite
Sun Data Center InfiniBand Switch 36, version(s) prior to 2.2.2	Oracle and Sun Systems Products Suite
Sun Network 10GE Switch 72p, version(s) 1.2	Oracle and Sun Systems Products Suite
Sun Network QDR InfiniBand Gateway Switch, version(s) prior to 2.2.2	Oracle and Sun Systems Products Suite
Oracle Secure Global Desktop, version(s) 4.63, 4.71, 5.2	Oracle Linux and Virtualization
Oracle VM VirtualBox, version(s) prior to 5.0.26	Oracle Linux and Virtualization
MySQL Server, version(s) 5.5.49 and prior, 5.6.30 and prior, 5.7.12 and prior	Oracle MySQL Product Suite

Note:

Vulnerabilities affecting Oracle Database and Oracle Fusion Middleware may affect Oracle Fusion Applications, so Oracle customers should refer to Oracle Fusion Applications Critical Patch Update Knowledge Document, My Oracle Support Note 1967316.1 for information on patches to be applied to Fusion Application environments.
Users running Java SE with a browser can download the latest release from http://java.com. Users on the Windows and Mac OS X platforms can also use automatic updates to get the latest release.
Vulnerabilities affecting Oracle Solaris may affect Oracle ZFSSA so Oracle customers should refer to the Oracle and Sun Systems Product Suite Critical Patch Update Knowledge Document, My Oracle Support Note 2160904.1 for information on minimum revisions of security fixes required to resolve ZFSSA issues published in Critical Patch Updates (CPUs) and Solaris Third Party bulletins.

Risk Matrix Content

Risk matrices list only security vulnerabilities that are newly fixed by the patches associated with this advisory. Risk matrices for previous security fixes can be found in previous Critical Patch Update advisories. An English text version of the risk matrices provided in this document is here.

Several vulnerabilities addressed in this Critical Patch Update affect multiple products. Each vulnerability is identified by a CVE# which is a unique identifier for a vulnerability. A vulnerability that affects multiple products will appear with the same CVE# in all risk matrices. A CVE# shown in italics indicates that this vulnerability impacts a different product, but also has impact on the product where the italicized CVE# is listed.

Security vulnerabilities are scored using CVSS version 3.0 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS version 3.0).

Oracle conducts an analysis of each security vulnerability addressed by a Critical Patch Update (CPU). Oracle does not disclose information about the security analysis, but the resulting Risk Matrix and associated documentation provide information about the type of vulnerability, the conditions required to exploit it, and the potential impact of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage. For more information, see Oracle vulnerability disclosure policies.

The protocol in the risk matrix implies that all of its secure variants (if applicable) are affected as well. For example, if HTTP is listed as an affected protocol, it implies that HTTPS (if applicable) is also affected. The secure variant of a protocol is listed in the risk matrix only if it is the only variant affected, e.g. HTTPS will typically be listed for vulnerabilities in SSL and TLS.

Workarounds

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. Until you apply the CPU fixes, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem.

Skipped Critical Patch Updates

Oracle strongly recommends that customers apply security fixes as soon as possible. For customers that have skipped one or more Critical Patch Updates and are concerned about products that do not have security fixes announced in this CPU, please review previous Critical Patch Update advisories to determine appropriate actions.

Product Dependencies

Oracle products may have dependencies on other Oracle products. Hence security vulnerability fixes announced in this Critical Patch Update may affect one or more dependent Oracle products. For details regarding these dependencies and how to apply patches to dependent products, please refer to Patch Set Update and Critical Patch Update July 2016 Availability Document, My Oracle Support Note 2136219.1.

Critical Patch Update Supported Products and Versions

Patches released through the Critical Patch Update program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. We recommend that customers plan product upgrades to ensure that patches released through the Critical Patch Update program are available for the versions they are currently running.

Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Critical Patch Update. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.

Supported Database, Fusion Middleware, Oracle Enterprise Manager Base Platform (formerly "Oracle Enterprise Manager Grid Control") and Collaboration Suite products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.

Products in Extended Support

Patches released through the Critical Patch Update program are available to customers who have Extended Support under the Lifetime Support Policy. Customers must have a valid Extended Support service contract to download patches released through the Critical Patch Update program for products in the Extended Support Phase.

Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Critical Patch Update to Oracle: Accenture TVM Prague; Adam Willard of Raytheon Foreground Security; Alexander Kornbrust of Red Database Security; Alexander Mirosh of Hewlett Packard Enterprise; Alvaro Munoz of Hewlett Packard Enterprise; Alvaro Munoz of Trend Micro's Zero Day Initiative; Ben Lincoln of NCC Group; Brian Martin of Tenable Network Security; Bruno Cirone; Christian Schneider; David Litchfield of Google; Devin Rosenbauer of Identity Works LLC; Aleksandar Nikolic of Cisco Talos; Jack Fei of FINRA; Juan Manuel Fernández Torres of Telefonica.com; Kasper Andersen; Matias Mevied of Onapsis; Matthias Kaiser of Code White; Matthias-Christian Ott; Nicholas Lemonias of Advanced Information Security Corporation; Nicolas Collignon of synacktiv; Reno Robert; Spyridon Chatzimichail of OTE Hellenic Telecommunications Organization S.A.; Stephan Borosh of Veris Group, LLC; Stephen Kost of Integrigy; Steven Seeley working with Beyond Security's SSD program; Sven Blumenstein of Google; Teemu Kääriäinen; Ubais PK; and XOR19 of Trend Micro's Zero Day Initiative.

Security-In-Depth Contributors

Oracle acknowledges people who have contributed to our Security-In-Depth program (see FAQ). People are acknowledged for Security-In-Depth contributions if they provide information, observations or suggestions pertaining to security vulnerability issues that result in significant modification of Oracle code or documentation in future releases, but are not of such a critical nature that they are distributed in Critical Patch Updates.

In this Critical Patch Update Advisory, Oracle recognizes Alexey Tyurin of ERPScan; David Litchfield of Google; Paul M. Wright; and Quan Nguyen of Google for contributions to Oracle's Security-In-Depth program.

On-Line Presence Security Contributors

Oracle provides acknowledges people who have contributed to our On-Line Presence Security program (see FAQ). People are acknowledged for contributions relating to Oracle's on-line presence if they provide information, observations or suggestions pertaining to security-related issues that result in significant modification to Oracle's on-line external-facing systems.

For this quarter, Oracle recognizes Adam Willard of Raytheon Foreground Security; Cameron Dawe of Spam404.com; Jubaer Al Nazi - ServerGhosts Bangladesh; Karim Rahal; Latish Danawale of Pristine Infosolutions; Othmane Tamagart - APPBOX; Ramal Hajataliyev; Rodolfo Godalle Jr.; Shawar Khan; Tayyab Qadir; Vikas Khanna; and Winnye Jakeson for contributions to Oracle's On-Line Presence Security program.

Critical Patch Update Schedule

Critical Patch Updates are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

18 October 2016
17 January 2017
18 April 2017
18 July 2017

References

Oracle Critical Patch Updates and Security Alerts main page [ Oracle Technology Network ]
Critical Patch Update - July 2016 Documentation Map [ My Oracle Support Note ]
Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions [ CPU FAQ ]
Risk Matrix definitions [ Risk Matrix Definitions ]
Use of Common Vulnerability Scoring System (CVSS) by Oracle [ Oracle CVSS Scoring ]
English text version of the risk matrices [ Oracle Technology Network ]
CVRF XML version of the risk matrices [ Oracle Technology Network ]
The Oracle Software Security Assurance Blog [ The Oracle Software Security Assurance Blog ]
List of public vulnerabilities fixed in Critical Patch Updates and Security Alerts [ Oracle Technology Network ]
Software Error Correction Support Policy [ My Oracle Support Note 209768.1 ]

Modification History

Date	Note
2016-October-18	Rev 2. Updated score for CVE-2016-3504 and associated it with CVE-2016-5019.
2016-July-19	Rev 1. Initial Release.

Appendix - Oracle Database Server

Oracle Database Server Executive Summary

This Critical Patch Update contains 9 new security fixes for the Oracle Database Server. 5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. 2 of these fixes are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.

Oracle Database Server Risk Matrix

CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2016-3609	OJVM	Create Session	Multiple	No	9.0	Network	Low	Low	Required	Changed	High	High	High	11.2.0.4, 12.1.0.1, 12.1.0.2	See Note 1
CVE-2016-3506	JDBC	None	Oracle Net	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	11.2.0.4, 12.1.0.1, 12.1.0.2
CVE-2016-3479	Portable Clusterware	None	Oracle Net	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	11.2.0.4, 12.1.0.2
CVE-2016-3489	Data Pump Import	Index on SYS.INCVID	Oracle Net	No	6.7	Local	Low	High	None	Un- changed	High	High	High	11.2.0.4, 12.1.0.1, 12.1.0.2
CVE-2016-3448	Application Express	None	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	Prior to 5.0.4
CVE-2016-3467	Application Express	None	HTTP	Yes	5.8	Network	Low	None	None	Changed	None	None	Low	Prior to 5.0.4
CVE-2015-0204	RDBMS	HTTPS Listener	HTTPS	Yes	5.3	Network	High	None	Required	Un- changed	None	High	None	12.1.0.1, 12.1.0.2
CVE-2016-3488	DB Sharding	Execute on gsmadmin_internal	Oracle Net	No	4.4	Local	Low	High	None	Un- changed	None	High	None	12.1.0.2
CVE-2016-3484	Database Vault	Create Public Synonym	Oracle Net	No	3.4	Local	Low	High	None	Un- changed	Low	Low	None	11.2.0.4, 12.1.0.1, 12.1.0.2

Notes:

The score 9.0 is for Windows platform. On Linux platform the score is 8.0.

Oracle Database Server Client-Only Installations

The following Oracle Database Server vulnerabilities included in this Critical Patch Update affect client-only installations: CVE-2016-3506 and CVE-2015-0204.

Appendix - Oracle Fusion Middleware

Oracle Fusion Middleware Executive Summary

This Critical Patch Update contains 40 new security fixes for Oracle Fusion Middleware. 35 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Fusion Middleware Risk Matrix

CVE#	Component	Sub- component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Sub- component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2015-7182	Oracle Directory Server Enterprise Edition	Admin Server	HTTPS	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	7.0, 11.1.1.7.0
CVE-2016-3607	Oracle GlassFish Server	Web Container	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	3.0.1, 3.1.2
CVE-2016-3510	Oracle WebLogic Server	WLS Core Components	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.3.6.0, 12.1.3.0, 12.2.1.0
CVE-2016-3586	Oracle WebLogic Server	WLS Core Components	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.3.6.0, 12.1.3.0, 12.2.1.0
CVE-2016-3499	Oracle WebLogic Server	Web Container	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1.3.0, 12.2.1.0
CVE-2016-3504	Oracle JDeveloper	ADF Faces	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.1.1.7.0, 11.1.1.9.0, 11.1.2.4.0, 12.1.3.0.0, 12.2.1.0.0
CVE-2016-3574	Outside In Technology	Outside In Filters	HTTP	Yes	8.6	Network	Low	None	None	Un- changed	High	Low	Low	8.5.0, 8.5.1, 8.5.2	See Note 1
CVE-2016-3575	Outside In Technology	Outside In Filters	HTTP	Yes	8.6	Network	Low	None	None	Un- changed	High	Low	Low	8.5.0, 8.5.1, 8.5.2	See Note 1
CVE-2016-3576	Outside In Technology	Outside In Filters	HTTP	Yes	8.6	Network	Low	None	None	Un- changed	High	Low	Low	8.5.0, 8.5.1, 8.5.2	See Note 1
CVE-2016-3577	Outside In Technology	Outside In Filters	HTTP	Yes	8.6	Network	Low	None	None	Un- changed	High	Low	Low	8.5.0, 8.5.1, 8.5.2	See Note 1
CVE-2016-3578	Outside In Technology	Outside In Filters	HTTP	Yes	8.6	Network	Low	None	None	Un- changed	High	Low	Low	8.5.0, 8.5.1, 8.5.2	See Note 1
CVE-2016-3579	Outside In Technology	Outside In Filters	HTTP	Yes	8.6	Network	Low	None	None	Un- changed	High	Low	Low	8.5.0, 8.5.1, 8.5.2	See Note 1
CVE-2016-3580	Outside In Technology	Outside In Filters	HTTP	Yes	8.6	Network	Low	None	None	Un- changed	High	Low	Low	8.5.0, 8.5.1, 8.5.2	See Note 1
CVE-2016-3581	Outside In Technology	Outside In Filters	HTTP	Yes	8.6	Network	Low	None	None	Un- changed	High	Low	Low	8.5.0, 8.5.1, 8.5.2	See Note 1
CVE-2016-3582	Outside In Technology	Outside In Filters	HTTP	Yes	8.6	Network	Low	None	None	Un- changed	High	Low	Low	8.5.0, 8.5.1, 8.5.2	See Note 1
CVE-2016-3583	Outside In Technology	Outside In Filters	HTTP	Yes	8.6	Network	Low	None	None	Un- changed	High	Low	Low	8.5.0, 8.5.1, 8.5.2	See Note 1
CVE-2016-3590	Outside In Technology	Outside In Filters	HTTP	Yes	8.6	Network	Low	None	None	Un- changed	High	Low	Low	8.5.0, 8.5.1, 8.5.2	See Note 1
CVE-2016-3591	Outside In Technology	Outside In Filters	HTTP	Yes	8.6	Network	Low	None	None	Un- changed	High	Low	Low	8.5.0, 8.5.1, 8.5.2	See Note 1
CVE-2016-3592	Outside In Technology	Outside In Filters	HTTP	Yes	8.6	Network	Low	None	None	Un- changed	High	Low	Low	8.5.0, 8.5.1, 8.5.2	See Note 1
CVE-2016-3593	Outside In Technology	Outside In Filters	HTTP	Yes	8.6	Network	Low	None	None	Un- changed	High	Low	Low	8.5.0, 8.5.1, 8.5.2	See Note 1
CVE-2016-3594	Outside In Technology	Outside In Filters	HTTP	Yes	8.6	Network	Low	None	None	Un- changed	High	Low	Low	8.5.0, 8.5.1, 8.5.2	See Note 1
CVE-2016-3595	Outside In Technology	Outside In Filters	HTTP	Yes	8.6	Network	Low	None	None	Un- changed	High	Low	Low	8.5.0, 8.5.1, 8.5.2	See Note 1
CVE-2016-3596	Outside In Technology	Outside In Filters	HTTP	Yes	8.6	Network	Low	None	None	Un- changed	High	Low	Low	8.5.0, 8.5.1, 8.5.2	See Note 1
CVE-2016-3446	Oracle Business Intelligence Enterprise Edition	Analytics Web Administration	HTTP	Yes	8.3	Network	Low	None	None	Changed	Low	Low	Low	11.1.1.7.0, 11.1.1.9.0
CVE-2016-1181	Oracle Portal	User and Group Security	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	11.1.1.6	See Note 2
CVE-2016-3564	Oracle TopLink	JPA-RS	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	12.1.3.0, 12.2.1.0, 12.2.1.1
CVE-2016-3487	Oracle WebCenter Sites	WebCenter Sites	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	11.1.1.8, 12.2.1.0
CVE-2016-3544	Oracle Business Intelligence Enterprise Edition	Analytics Web General	HTTP	No	7.6	Network	Low	Low	Required	Changed	High	Low	None	11.1.1.7.0, 11.1.1.9.0, 11.2.1.0.0
CVE-2016-1548	Oracle Exalogic Infrastructure	Base Image	Multiple	Yes	6.5	Network	Low	None	None	Un- changed	None	Low	Low	1.x, 2.x
CVE-2015-3237	Oracle GlassFish Server	Administration	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	None	Low	3.0.1, 3.1.2
CVE-2016-3502	Oracle WebCenter Sites	WebCenter Sites	HTTP	No	6.5	Network	Low	Low	Required	Changed	Low	Low	Low	11.1.1.8, 12.2.1.0
CVE-2016-2107	Oracle Access Manager	Web Server Plugin	HTTPS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	10.1.4.x, 11.1.1.7
CVE-2016-2107	Oracle Exalogic Infrastructure	Base Image	Multiple	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	1.x, 2.x
CVE-2016-3608	Oracle GlassFish Server	Administration	HTTP	Yes	5.8	Network	Low	None	None	Changed	Low	None	None	3.0.1
CVE-2016-5477	Oracle GlassFish Server	Administration	HTTP	Yes	5.8	Network	Low	None	None	Changed	Low	None	None	2.1.1, 3.0.1
CVE-2016-3432	BI Publisher (formerly XML Publisher)	Web Server	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	11.1.1.7.0, 11.1.1.9.0
CVE-2016-3433	Oracle Business Intelligence Enterprise Edition	Analytics Web Administration	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	11.1.1.7.0, 11.1.1.9.0
CVE-2016-3445	Oracle WebLogic Server	Web Container	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	10.3.6.0, 12.1.3.0
CVE-2016-3474	BI Publisher (formerly XML Publisher)	Security	HTTP	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	11.1.1.7.0, 11.1.1.9.0, 12.2.1.0.0
CVE-2016-3482	Oracle HTTP Server	SSL/TLS Module	HTTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	11.1.1.9, 12.1.3.0

Notes:

Outside In Technology is a suite of software development kits (SDKs). The protocol and CVSS score depend on the software that uses the Outside In Technology code. The CVSS score assumes that the software passes data received over a network directly to Outside In Technology code, but if data is not received over a network the CVSS score may be lower.
Please refer to My Oracle Support Note 2155256.1 for instructions on how to address this issue.

Additional CVEs addressed:

The fix for CVE-2015-7182 also addresses CVE-2015-2721, CVE-2015-4000, CVE-2015-7181, CVE-2015-7183, and CVE-2015-7575.
The fix for CVE-2016-1181 also addresses CVE-2016-1182.
The fix for CVE-2016-1548 also addresses CVE-2015-7979, CVE-2016-1547, CVE-2016-1550, CVE-2016-2108, CVE-2016-2518, CVE-2016-4051, CVE-2016-4052, and CVE-2016-4053.
The fix for CVE-2016-2107 also addresses CVE-2016-2105, CVE-2016-2106, CVE-2016-2109, and CVE-2016-2176.
The fix for CVE-2016-3504 also addresses CVE-2016-5019.

Appendix - Oracle Hyperion

Oracle Hyperion Executive Summary

This Critical Patch Update contains 1 new security fix for Oracle Hyperion. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Hyperion Risk Matrix

CVE#	Component	Sub- component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Sub- component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2016-3493	Hyperion Financial Reporting	Security Models	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.1.2.4

Appendix - Oracle Enterprise Manager Grid Control

Oracle Enterprise Manager Grid Control Executive Summary

This Critical Patch Update contains 10 new security fixes for Oracle Enterprise Manager Grid Control. 7 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. None of these fixes are applicable to client-only installations, i.e., installations that do not have Oracle Enterprise Manager Grid Control installed. The English text form of this Risk Matrix can be found here.

Oracle Enterprise Manager Grid Control Risk Matrix

CVE#	Component	Sub- component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Sub- component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2015-7501	Enterprise Manager Ops Center	Enterprise Controller Install	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	12.1.4, 12.2.2, 12.3.2
CVE-2016-0635	Enterprise Manager Ops Center	Framework	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	12.1.4, 12.2.2, 12.3.2
CVE-2015-3237	Enterprise Manager Ops Center	Networking	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	None	Low	12.1.4, 12.2.2, 12.3.2
CVE-2016-3494	Enterprise Manager Ops Center	OS Provisioning	HTTP	Yes	6.5	Adjacent Network	Low	None	None	Un- changed	None	None	High	12.1.4, 12.2.2, 12.3.2
CVE-2016-3563	Enterprise Manager Base Platform	Security Framework	None	No	6.3	Local	Low	High	Required	Changed	Low	High	None	12.1.0.5
CVE-2016-2107	Enterprise Manager Base Platform	Discovery Framework	HTTP	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	12.1.0.5, 13.1.0.0
CVE-2015-3197	Enterprise Manager Ops Center	Networking	SSL/TLS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	12.1.4, 12.2.2, 12.3.2
CVE-2016-3496	Enterprise Manager for Fusion Middleware	SOA Topology Viewer	HTTP	Yes	4.7	Network	Low	None	Required	Changed	Low	None	None	11.1.1.7, 11.1.1.9
CVE-2016-3540	Enterprise Manager Base Platform	UI Framework	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	Low	None	None	12.1.0.5, 13.1.0.0
CVE-2015-0228	Enterprise Manager Ops Center	Update Provisioning	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	None	None	Low	12.1.4, 12.2.2, 12.3.2

Additional CVEs addressed:

The fix for CVE-2015-3237 also addresses CVE-2015-3236.

Appendix - Oracle Applications

Oracle E-Business Suite Executive Summary

This Critical Patch Update contains 23 new security fixes for the Oracle E-Business Suite. 21 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle E-Business Suite Risk Matrix

CVE#	Component	Sub- component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Sub- component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2016-3546	Oracle Advanced Collections	Report JSPs	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	12.1.1, 12.1.2, 12.1.3
CVE-2016-3541	Oracle Common Applications Calendar	Notes	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5
CVE-2016-3543	Oracle Common Applications Calendar	Tasks	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5
CVE-2016-3532	Oracle Advanced Inbound Telephony	SDK client integration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3
CVE-2016-3535	Oracle CRM Technical Foundation	Remote Launch	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.3
CVE-2016-3491	Oracle CRM Technical Foundation	Wireless Framework	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.3
CVE-2016-3512	Oracle Customer Interaction History	Function Security	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3
CVE-2016-3536	Oracle Marketing	Deliverables	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3
CVE-2016-3522	Oracle Web Applications Desktop Integrator	Application Service	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.3, 12.2.3, 12.2.4, 12.2.5
CVE-2016-3528	Oracle Internet Expenses	Expenses Admin Utilities	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5
CVE-2016-3524	Oracle Applications Technology Stack	Configuration	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	Low	None	12.1.3, 12.2.3, 12.2.4, 12.2.5
CVE-2016-3542	Oracle Knowledge Management	Search, Browse	HTTP	No	6.5	Network	Low	High	None	Un- changed	High	High	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5
CVE-2016-3525	Oracle Applications Manager	Cookie Management	HTTP	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	12.1.3
CVE-2016-3545	Oracle Application Object Library	Web based help screens	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.1.3, 12.2.3, 12.2.4, 12.2.5
CVE-2016-3549	Oracle E-Business Suite Secure Enterprise Search	Search Integration Engine	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.1.3, 12.2.3, 12.2.4, 12.2.5
CVE-2016-3548	Oracle Marketing	Marketing activity collateral	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5
CVE-2016-3547	Oracle One-to-One Fulfillment	Content Manager	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5
CVE-2016-3520	Oracle Application Object Library	AOL Diagnostic tests	HTTP	No	4.9	Network	Low	High	None	Un- changed	High	None	None	12.1.3, 12.2.3, 12.2.4, 12.2.5
CVE-2016-3558	Oracle Email Center	Email Center Agent Console	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5
CVE-2016-3559	Oracle Email Center	Email Center Agent Console	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5
CVE-2016-3534	Oracle Installed Base	Engineering Change Order	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5
CVE-2016-3533	Oracle Knowledge Management	Search	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5
CVE-2016-3523	Oracle Web Applications Desktop Integrator	Application Service	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.3, 12.2.3, 12.2.4, 12.2.5

Oracle Supply Chain Products Suite Executive Summary

This Critical Patch Update contains 25 new security fixes for the Oracle Supply Chain Products Suite. 13 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Supply Chain Products Suite Risk Matrix

CVE#	Component	Sub- component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Sub- component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2016-3468	Oracle Agile Engineering Data Management	Install	HTPP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	6.1.3.0, 6.2.0.0
CVE-2016-3556	Oracle Agile PLM	EM Integration	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	9.3.4, 9.3.5
CVE-2016-3527	Oracle Demand Planning	ODPDA Servlet	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	12.1, 12.2
CVE-2016-3554	Oracle Agile PLM	PC / BOM, MCAD, Design	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	9.3.4, 9.3.5
CVE-2015-7501	Oracle Transportation Management	Web Container	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.4.0, 6.4.1
CVE-2016-3526	Oracle Agile PLM	SDK	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	9.3.4, 9.3.5
CVE-2016-3561	Oracle Agile PLM	SDK	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	9.3.4, 9.3.5
CVE-2016-3538	Oracle Agile PLM	File Folders / Attachment	HTTP	No	7.1	Network	Low	Low	None	Un- changed	None	High	Low	9.3.4, 9.3.5
CVE-2016-3539	Oracle Agile PLM	File Folders / Attachment	HTTP	No	7.1	Network	Low	Low	None	Un- changed	None	High	Low	9.3.4, 9.3.5
CVE-2016-3530	Oracle Agile PLM	PGC / Import	HTTP	No	7.1	Network	Low	Low	None	Un- changed	None	High	Low	9.3.4, 9.3.5
CVE-2016-3470	Oracle Transportation Management	Install	HTTP	No	7.1	Network	Low	Low	None	Un- changed	High	Low	None	6.4.1
CVE-2016-3537	Oracle Agile PLM	File Folders / Attachment	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	9.3.4, 9.3.5
CVE-2016-3557	Oracle Agile PLM	File Load	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.3.4, 9.3.5
CVE-2016-3519	Oracle Agile PLM	PC / Get Shortcut	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.3.4, 9.3.5
CVE-2016-3555	Oracle Agile PLM	PGC / Excel Plugin	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.3.4, 9.3.5
CVE-2016-2107	Oracle Agile Engineering Data Management	Install	HTTP	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	6.1.3.0, 6.2.0.0
CVE-2016-3529	Oracle Agile PLM	SDK	HTTP	Yes	5.8	Network	Low	None	None	Changed	Low	None	None	9.3.4, 9.3.5
CVE-2016-3509	Oracle Agile PLM	File Folders / URL Attachment	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	9.3.4, 9.3.5
CVE-2016-3553	Oracle Agile PLM	PC Core	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	9.3.4, 9.3.5
CVE-2016-3560	Oracle Agile PLM	SDK	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	9.3.4, 9.3.5
CVE-2016-3517	Oracle Agile PLM	PC / Get Shortcut	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	None	Low	None	9.3.4, 9.3.5
CVE-2016-3507	Oracle Agile PLM	WebClient / Admin	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	None	Low	None	9.3.4, 9.3.5
CVE-2016-3531	Oracle Agile PLM	PC / Notification	HTTP	No	3.5	Network	Low	Low	Required	Un- changed	Low	None	None	9.3.4, 9.3.5
CVE-2016-5473	Oracle Agile PLM	File Folders / Attachment	HTTP	No	3.1	Network	High	Low	None	Un- changed	Low	None	None	9.3.4, 9.3.5
CVE-2016-3490	Oracle Transportation Management	Database	HTTP	No	3.0	Network	High	Low	Required	Changed	Low	None	None	6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.4.0, 6.4.1

Oracle PeopleSoft Products Executive Summary

This Critical Patch Update contains 7 new security fixes for Oracle PeopleSoft Products. 5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle PeopleSoft Products Risk Matrix

CVE#	Component	Sub- component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Sub- component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2016-5465	PeopleSoft Enterprise PeopleTools	Panel Processor	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	8.53, 8.54, 8.55
CVE-2016-5472	PeopleSoft Enterprise PeopleTools	Install and Packaging	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	8.54, 8.55
CVE-2016-3483	PeopleSoft Enterprise PeopleTools	File Processing	HTTP	Yes	7.2	Network	Low	None	None	Changed	Low	None	Low	8.53, 8.54, 8.55
CVE-2016-5470	PeopleSoft Enterprise PeopleTools	Application Designer	HTTP	Yes	6.5	Network	Low	None	Required	Un- changed	High	None	None	8.54, 8.55
CVE-2016-3478	PeopleSoft Enterprise PeopleTools	File Processing	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.53, 8.54, 8.55
CVE-2016-2107	PeopleSoft Enterprise PeopleTools	Security	HTTP	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	8.53, 8.54, 8.55
CVE-2016-5467	PeopleSoft Enterprise FSCM	eProcurement	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	9.1, 9.2

Additional CVEs addressed:

The fix for CVE-2016-2107 also addresses CVE-2016-2105, CVE-2016-2106, CVE-2016-2109, and CVE-2016-2176.

Oracle JD Edwards Products Executive Summary

This Critical Patch Update contains 1 new security fix for Oracle JD Edwards Products. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle JD Edwards Products Risk Matrix

CVE#	Component	Sub- component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Sub- component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2015-3197	JD Edwards EnterpriseOne Tools	Enterprise Infrastructure SEC	HTTP	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	9.2.0.5

Oracle Siebel CRM Executive Summary

This Critical Patch Update contains 16 new security fixes for Oracle Siebel CRM. 6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Siebel CRM Risk Matrix

CVE#	Component	Sub- component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Sub- component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2016-5451	Siebel UI Framework	EAI	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	8.1.1, 8.2.2, IP2014, IP2015, IP2016
CVE-2016-3476	Oracle Knowledge	Information Manager Console	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	Low	None	8.5.x
CVE-2016-5461	Siebel Core - Server Framework	Object Manager	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	8.1.1, 8.2.2, IP2014, IP2015, IP2016
CVE-2016-3472	Siebel Engineering - Installer and Deployment	Web Server	HTTP	No	5.7	Network	Low	Low	Required	Un- changed	High	None	None	8.1.1, 8.2.2, IP2014, IP2015, IP2016
CVE-2016-5468	Siebel UI Framework	EAI	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	8.1.1, 8.2.2, IP2014, IP2015, IP2016
CVE-2016-5456	Siebel Core - Server Framework	Services	HTTP	No	5.3	Network	High	Low	None	Un- changed	High	None	None	8.1.1, 8.2.2, IP2014, IP2015, IP2016
CVE-2016-5459	Siebel Core - Common Components	iHelp	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	8.1.1, 8.2.2, IP2014, IP2015, IP2016
CVE-2016-5450	Siebel UI Framework	UIF Open UI	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	8.1.1, 8.2.2, IP2014, IP2015, IP2016
CVE-2016-3475	Oracle Knowledge	Information Manager Console	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	8.5.x
CVE-2016-5463	Siebel UI Framework	SWSE Server	HTTP	No	4.1	Network	Low	Low	Required	Changed	None	Low	None	8.1.1, 8.2.2, IP2014, IP2015, IP2016
CVE-2016-5464	Siebel UI Framework	SWSE Server	HTTP	No	4.1	Network	Low	Low	Required	Changed	None	Low	None	8.1.1, 8.2.2, IP2014, IP2015, IP2016
CVE-2016-3450	Siebel Core - Server Framework	Services	HTTP	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	8.1.1, 8.2.2, IP2014, IP2015, IP2016
CVE-2016-5460	Siebel Core - Server Framework	Services	HTTP	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	8.1.1, 8.2.2, IP2014, IP2015, IP2016
CVE-2016-5466	Siebel Core - Server Framework	Services	HTTP	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	8.1.1, 8.2.2, IP2014, IP2015, IP2016
CVE-2016-3469	Siebel Core - Server Framework	Services	None	No	3.3	Local	Low	Low	None	Un- changed	Low	None	None	8.1.1, 8.2.2, IP2014, IP2015, IP2016
CVE-2016-5462	Siebel Core - Server Framework	Workspaces	HTTP	No	2.7	Network	Low	High	None	Un- changed	Low	None	None	8.1.1, 8.2.2, IP2014, IP2015, IP2016

Appendix - Oracle Communications Applications

Oracle Communications Applications Executive Summary

This Critical Patch Update contains 16 new security fixes for Oracle Communications Applications. 10 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Communications Applications Risk Matrix

CVE#	Component	Sub- component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Sub- component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2015-0235	Oracle Communications EAGLE Application Processor	Other	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	16.0
CVE-2015-7182	Oracle Communications Messaging Server	Security	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	Prior to 7.0.5.37.0 and 8.0.1.1.0
CVE-2015-7501	Oracle Communications ASAP	Service request translator	T3	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	7.0, 7.2, 7.3
CVE-2014-3571	Oracle Communications Core Session Manager	Routing	TLS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	7.2.5, 7.3.5
CVE-2016-3515	Oracle Enterprise Communications Broker	Crash, network, system, admin	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	Prior to PCz 2.0.0m4p1
CVE-2016-3513	Oracle Communications Operations Monitor	Infrastructure	HTTPS	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	Prior to 3.3.92.0.0
CVE-2016-3514	Oracle Enterprise Communications Broker	GUI	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	Prior to PCz 2.0.0m4p1
CVE-2016-5458	Oracle Communications EAGLE Application Processor	APPL	HTTP	No	6.4	Network	Low	Low	None	Changed	Low	Low	None	16.0
CVE-2015-3197	Oracle Communications Network Charging and Control	DAP, OSD, PI	TLS/SSL	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	5.0.2.0.0, 5.0.1.0.0, 5.0.0.2.0, 5.0.0.1.0, 4.4.1.5.0
CVE-2016-2107	Oracle Communications Unified Session Manager	Routing	TLS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	7.2.5, 7.3.5
CVE-2016-5455	Oracle Communications Messaging Server	Multiplexor	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	6.3, 7.0, 8.0
CVE-2014-9708	Oracle Enterprise Communications Broker	GUI	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	Prior to PCz 2.0.0m4p1
CVE-2016-0702	Oracle Communications Session Border Controller	Encryption	TLS	Yes	4.8	Network	High	None	None	Un- changed	Low	Low	None	7.2.0, 7.3.0
CVE-2015-2808	Oracle Communications Policy Management	Security	HTTP	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	Prior to 9.9.2
CVE-2015-5300	Oracle Communications Session Border Controller	System	NTP	No	3.7	Adjacent Network	High	Low	None	Un- changed	Low	None	Low	7.2.0, 7.3.0
CVE-2016-3516	Oracle Enterprise Communications Broker	GUI	HTTP	No	3.1	Network	High	Low	None	Un- changed	Low	None	None	Prior to PCz 2.0.0m4p1

Additional CVEs addressed:

The fix for CVE-2014-3571 also addresses CVE-2014-3569, CVE-2014-3570, CVE-2014-3572, CVE-2014-8275, CVE-2015-0204, CVE-2015-0205, and CVE-2015-0206.
The fix for CVE-2015-5300 also addresses CVE-2015-7704, and CVE-2015-8138.
The fix for CVE-2015-7182 also addresses CVE-2015-7181, CVE-2015-7183, and CVE-2015-7575.
The fix for CVE-2016-0702 also addresses CVE-2016-0705, CVE-2016-0797, CVE-2016-0798, CVE-2016-0799, and CVE-2016-0800.
The fix for CVE-2016-5455 also addresses CVE-2015-7181, CVE-2015-7183, CVE-2015-7575, CVE-2016-1938, and CVE-2016-1978.

Appendix - Oracle Financial Services Applications

Oracle Financial Services Applications Executive Summary

This Critical Patch Update contains 4 new security fixes for Oracle Financial Services Applications. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Financial Services Applications Risk Matrix

CVE#	Component	Sub- component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Sub- component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2015-7501	Oracle Banking Platform	Rules collections	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	2.3.0, 2.4.0, 2.4.1
CVE-2014-0224	Oracle Financial Services Lending and Leasing	Admin and setup	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	14.1 , 14.2
CVE-2016-3589	Oracle FLEXCUBE Direct Banking	Base	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.0.1, 12.0.2, 12.0.3
CVE-2016-1181	Oracle Banking Platform	OPS	HTTP	Yes	3.1	Network	High	None	Required	Un- changed	None	Low	None	2.3.0, 2.4.0, 2.4.1, 2.5.0

Additional CVEs addressed:

The fix for CVE-2016-1181 also addresses CVE-2016-1182.

Appendix - Oracle Health Sciences Applications

Oracle Health Sciences Applications Executive Summary

This Critical Patch Update contains 5 new security fixes for Oracle Health Sciences Applications. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Health Sciences Applications Risk Matrix

CVE#	Component	Sub- component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Sub- component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2015-3253	Oracle Health Sciences Clinical Development Center	Installation and configuration	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	3.1.1.x, 3.1.2.x
CVE-2015-7501	Oracle Health Sciences Clinical Development Center	Installation and configuration	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	3.1.1.x, 3.1.2.x
CVE-2016-0635	Oracle Health Sciences Information Manager	Health Policy Monitor	TLS, UDP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	1.2.8.3, 2.0.2.3, 3.0.1.0
CVE-2015-7501	Oracle Healthcare Analytics Data Integration	Self Service Analytics	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	3.1.0.0.0
CVE-2016-0635	Oracle Healthcare Master Person Index	Internal operations	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	2.0.12, 3.0.0, 4.0.1

Appendix - Oracle Insurance Applications

Oracle Insurance Applications Executive Summary

This Critical Patch Update contains 8 new security fixes for Oracle Insurance Applications. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Insurance Applications Risk Matrix

CVE#	Component	Sub- component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Sub- component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2015-7501	Oracle Documaker	Development tools	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	Prior to 12.5
CVE-2016-0635	Oracle Documaker	Development tools	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	Prior to 12.5
CVE-2015-7501	Oracle Insurance Calculation Engine	Architecture	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	9.7.1, 10.1.2, 10.2.2
CVE-2016-0635	Oracle Insurance Calculation Engine	Architecture	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	9.7.1, 10.1.2, 10.2.2
CVE-2015-7501	Oracle Insurance Policy Administration J2EE	Architecture	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	9.6.1, 9.7.1, 10.0.1, 10.1.2, 10.2.0, 10.2.2
CVE-2016-0635	Oracle Insurance Policy Administration J2EE	Architecture	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	9.6.1, 9.7.1, 10.0.1, 10.1.2, 10.2.0, 10.2.2
CVE-2015-7501	Oracle Insurance Rules Palette	Architecture	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	9.6.1, 9.7.1, 10.0.1, 10.1.2, 10.2.0, 10.2.2
CVE-2016-0635	Oracle Insurance Rules Palette	Architecture	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	9.6.1, 9.7.1, 10.0.1, 10.1.2, 10.2.0, 10.2.2

Appendix - Oracle Retail Applications

Oracle Retail Applications Executive Summary

This Critical Patch Update contains 16 new security fixes for Oracle Retail Applications. 6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Retail Applications Risk Matrix

CVE#	Component	Sub- component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Sub- component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2016-3444	Oracle Retail Integration Bus	Install	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	13.0, 13.1, 13.2, 14.0, 14.1, 15.0
CVE-2015-3253	Oracle Retail Order Broker	System Administration	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	4.1, 5.1, 5.2, 15.0
CVE-2015-3253	Oracle Retail Service Backbone	Install	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	13.0, 13.1, 13.2, 14.0, 14.1, 15.0
CVE-2015-3253	Oracle Retail Store Inventory Management	SIMINT	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	13.2, 14.0, 14.1
CVE-2015-7501	MICROS Retail XBRi Loss Prevention	Retail	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	10.0.1, 10.5.0, 10.6.0, 10.7.0, 10.8.0, 10.8.1
CVE-2015-7501	Oracle Retail Central, Back Office, Returns Management	Install	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	12.0 13.0, 13.1, 13.2, 13.3, 13.4, 14.0, 14.1
CVE-2016-0635	Oracle Retail Integration Bus	Install	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	15.0
CVE-2016-0635	Oracle Retail Order Broker	Order Broker Foundation	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	5.1, 5.2, 15.0
CVE-2015-7501	Oracle Retail Service Backbone	Install	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	15.0
CVE-2016-5474	Oracle Retail Service Backbone	RSB Kernel	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	14.0, 14.1, 15.0
CVE-2016-3081	MICROS Retail XBRi Loss Prevention	Retail	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	10.0.1, 10.5.0, 10.6.0, 10.7.0, 10.8.0, 10.8.1
CVE-2016-5476	Oracle Retail Integration Bus	Install	HTTP	No	7.6	Network	Low	Low	None	Un- changed	High	Low	Low	13.0, 13.1, 13.2, 14.0, 14.1, 15.0
CVE-2016-3565	Oracle Retail Order Broker	System Administration	HTTP	No	7.6	Network	Low	Low	None	Un- changed	Low	High	Low	5.1, 5.2
CVE-2016-5475	Oracle Retail Service Backbone	Install	HTTP	No	7.6	Network	Low	Low	None	Un- changed	High	Low	Low	14.0, 14.1, 15.0
CVE-2015-7501	Oracle Retail Store Inventory Management	SIMINT	HTTP	No	6.3	Network	Low	Low	None	Un- changed	Low	Low	Low	12.0, 13.0, 13.1, 13.2, 14.0, 14.1
CVE-2016-3611	Oracle Retail Order Broker	System Administration	HTTP	Yes	5.4	Network	Low	None	Required	Un- changed	Low	Low	None	15.0

Appendix - Oracle Utilities Applications

Oracle Utilities Applications Executive Summary

This Critical Patch Update contains 3 new security fixes for Oracle Utilities Applications. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Utilities Applications Risk Matrix

CVE#	Component	Sub- component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Sub- component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2015-7501	Oracle Utilities Framework	System wide	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	2.2.0.0.0, 4.1.0.1.0, 4.1.0.2.0, 4.2.0.1.0, 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0, 4.3.0.2.0
CVE-2015-7501	Oracle Utilities Network Management System	System wide	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	1.10.0.6.27, 1.11.0.4.41, 1.11.0.5.4, 1.12.0.1.16, 1.12.0.2.12. 1.12.0.3.5
CVE-2015-7501	Oracle Utilities Work and Asset Management	Integrations	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	1.9.1.2.8

Appendix - Oracle Policy Automation

Oracle Policy Automation Executive Summary

This Critical Patch Update contains 4 new security fixes for Oracle Policy Automation. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Policy Automation Risk Matrix

CVE#	Component	Sub- component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Sub- component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2015-7501	Oracle In-Memory Policy Analytics	Analysis Server	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	12.0.1
CVE-2015-7501	Oracle Policy Automation	Determinations Engine	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	10.3.0, 10.3.1, 10.4.0, 10.4.1, 10.4.2, 10.4.3, 10.4.4, 10.4.5, 10.4.6, 12.1.0, 12.1.1
CVE-2015-7501	Oracle Policy Automation Connector for Siebel	Determinations Server	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	10.3.0, 10.4.0, 10.4.1, 10.4.2, 10.4.3, 10.4.4, 10.4.5, 10.4.6
CVE-2015-7501	Oracle Policy Automation for Mobile Devices	Mobile Application	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	12.1.1

Appendix - Oracle Primavera Products Suite

Oracle Primavera Products Suite Executive Summary

This Critical Patch Update contains 15 new security fixes for the Oracle Primavera Products Suite. 8 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Primavera Products Suite Risk Matrix

CVE#	Component	Sub- component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Sub- component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2015-7501	Primavera Contract Management	PCM application	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	14.2
CVE-2016-0635	Primavera Contract Management	PCM web services	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	14.2
CVE-2015-7501	Primavera P6 Enterprise Project Portfolio Management	Web access	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	8.2, 8.3, 8.4, 15.1, 15.2, 16.1
CVE-2016-0635	Primavera P6 Enterprise Project Portfolio Management	Web access	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	8.2, 8.3, 8.4, 15.1, 15.2, 16.1
CVE-2015-1791	Primavera P6 Enterprise Project Portfolio Management	Project manager	HTTP	Yes	6.5	Network	High	None	None	Changed	Low	Low	Low	8.3, 8.4, 15.1
CVE-2016-3572	Primavera P6 Enterprise Project Portfolio Management	Web Access	HTTP	No	6.4	Network	Low	Low	None	Changed	Low	Low	None	8.3, 8.4, 15.1, 15.2, 16.1
CVE-2012-3137	Primavera P6 Enterprise Project Portfolio Management	Web access	HTTP	No	6.3	Network	Low	Low	None	Un- changed	Low	Low	Low	8.2, 8.3, 8.4
CVE-2016-3566	Primavera P6 Enterprise Project Portfolio Management	Web access	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.3, 8.4, 15.1, 15.2, 16.1
CVE-2016-3568	Primavera P6 Enterprise Project Portfolio Management	Web access	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.3, 8.4, 15.1, 15.2, 16.1
CVE-2016-3569	Primavera P6 Enterprise Project Portfolio Management	Web access	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.3, 8.4, 15.1, 15.2, 16.1
CVE-2016-3570	Primavera P6 Enterprise Project Portfolio Management	Web access	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.3, 8.4, 15.1, 15.2, 16.1
CVE-2016-3571	Primavera P6 Enterprise Project Portfolio Management	Web access	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.3, 8.4, 15.1, 15.2, 16.1
CVE-2016-3573	Primavera P6 Enterprise Project Portfolio Management	Web access	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.3, 8.4, 15.1, 15.2, 16.1
CVE-2015-3197	Primavera P6 Enterprise Project Portfolio Management	Project manager	HTTP	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	8.3, 8.4, 15.1, 15.2
CVE-2016-3567	Primavera P6 Enterprise Project Portfolio Management	Web access	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	8.3, 8.4, 15.1, 15.2, 16.1

Additional CVEs addressed:

The fix for CVE-2015-1791 also addresses CVE-2015-1788, CVE-2015-1789, CVE-2015-1790, and CVE-2015-1792.
The fix for CVE-2015-3197 also addresses CVE-2015-3193, CVE-2015-3194, CVE-2015-3195, and CVE-2016-0701.

Appendix - Oracle Java SE

Oracle Java SE Executive Summary

This Critical Patch Update contains 13 new security fixes for Oracle Java SE. 9 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

The CVSS scores below assume that a user running a Java applet or Java Web Start application has administrator privileges (typical on Windows). When the user does not run with administrator privileges (typical on Solaris and Linux), the corresponding CVSS impact scores for Confidentiality, Integrity, and Availability are "Low" instead of "High", lowering the CVSS Base Score. For example, a Base Score of 9.6 becomes 7.1.

Users should only use the default Java Plug-in and Java Web Start from the latest JDK or JRE 7 and 8 releases.

Oracle Java SE Risk Matrix

CVE#	Component	Sub- component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Sub- component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2016-3587	Java SE, Java SE Embedded	Hotspot	Multiple	Yes	9.6	Network	Low	None	Required	Changed	High	High	High	Java SE: 8u92; Java SE Embedded: 8u91	See Note 1
CVE-2016-3606	Java SE, Java SE Embedded	Hotspot	Multiple	Yes	9.6	Network	Low	None	Required	Changed	High	High	High	Java SE: 7u101, 8u92; Java SE Embedded: 8u91	See Note 1
CVE-2016-3598	Java SE, Java SE Embedded	Libraries	Multiple	Yes	9.6	Network	Low	None	Required	Changed	High	High	High	Java SE: 8u92; Java SE Embedded: 8u91	See Note 1
CVE-2016-3610	Java SE, Java SE Embedded	Libraries	Multiple	Yes	9.6	Network	Low	None	Required	Changed	High	High	High	Java SE: 8u92; Java SE Embedded: 8u91	See Note 1
CVE-2016-3552	Java SE	Install	None	No	8.1	Local	High	None	None	Changed	High	High	High	Java SE: 8u92	See Note 2
CVE-2016-3511	Java SE	Deployment	None	No	7.7	Local	High	None	Required	Changed	High	High	High	Java SE: 7u101, 8u92	See Note 1
CVE-2016-3503	Java SE	Install	None	No	7.7	Local	High	None	Required	Changed	High	High	High	Java SE: 6u115, 7u101, 8u92	See Note 2
CVE-2016-3498	Java SE	JavaFX	Multiple	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	Java SE: 7u101, 8u92	See Note 1
CVE-2016-3500	Java SE, Java SE Embedded, JRockit	JAXP	Multiple	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	Java SE: 6u115, 7u101, 8u92; Java SE Embedded: 8u91; JRockit: R28.3.10	See Note 3
CVE-2016-3508	Java SE, Java SE Embedded, JRockit	JAXP	Multiple	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	Java SE: 6u115, 7u101, 8u92; Java SE Embedded: 8u91; JRockit: R28.3.10	See Note 3
CVE-2016-3458	Java SE, Java SE Embedded	CORBA	Multiple	Yes	4.3	Network	Low	None	Required	Un- changed	None	Low	None	Java SE: 6u115, 7u101, 8u92; Java SE Embedded: 8u91	See Note 1
CVE-2016-3550	Java SE, Java SE Embedded	Hotspot	Multiple	Yes	4.3	Network	Low	None	Required	Un- changed	Low	None	None	Java SE: 6u115, 7u101, 8u92; Java SE Embedded: 8u91	See Note 1
CVE-2016-3485	Java SE, Java SE Embedded, JRockit	Networking	None	No	2.9	Local	High	None	None	Un- changed	None	Low	None	Java SE: 6u115, 7u101, 8u92; Java SE Embedded: 8u91; JRockit: R28.3.10	See Note 3

Notes:

This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
Applies to installation process on client deployment of Java.
Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.

Appendix - Oracle Sun Systems Products Suite

Oracle Sun Systems Products Suite Executive Summary

This Critical Patch Update contains 34 new security fixes for the Oracle Sun Systems Products Suite. 21 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Sun Systems Products Suite Risk Matrix

CVE#	Component	Sub- component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Sub- component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2016-5453	ILOM	IPMI	IPMI	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	3.0, 3.1, 3.2
CVE-2015-0235	Sun Data Center InfiniBand Switch 36	Firmware	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	Versions prior to 2.2.2
CVE-2015-0235	Sun Network QDR InfiniBand Gateway Switch	Firmware	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	Versions prior to 2.2.2
CVE-2016-5457	ILOM	LUMAIN	Multiple	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	3.0, 3.1, 3.2
CVE-2012-3410	ILOM	Restricted Shell	Multiple	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	3.0, 3.1, 3.2
CVE-2016-5445	ILOM	Authentication	Multiple	Yes	8.3	Network	Low	None	None	Changed	Low	Low	Low	3.0, 3.1, 3.2
CVE-2015-5600	ILOM	SSH	SSH	Yes	8.2	Network	Low	None	None	Un- changed	Low	None	High	3.0, 3.1, 3.2
CVE-2016-3481	ILOM	Web	HTTP	No	7.7	Network	Low	Low	None	Changed	None	None	High	3.0, 3.1, 3.2
CVE-2016-5447	ILOM	Backup-Restore	HTTP	No	7.6	Network	Low	Low	None	Un- changed	High	Low	Low	3.0, 3.1, 3.2
CVE-2016-5449	ILOM	Console Redirection	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	3.0, 3.1, 3.2
CVE-2016-3585	ILOM	Emulex	HTTPS	Yes	7.4	Network	High	None	None	Un- changed	High	High	None	3.0, 3.1, 3.2
CVE-2016-5446	ILOM	Infrastructure	Multiple	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	3.0, 3.1, 3.2
CVE-2016-3584	Solaris	Libadimalloc	None	No	7.0	Local	High	Low	None	Un- changed	High	High	High	11.3
CVE-2016-5448	ILOM	SNMP	SNMP	Yes	6.5	Network	Low	None	None	Un- changed	None	Low	Low	3.0, 3.1, 3.2
CVE-2015-1793	ILOM	OpenSSL	SSL/TLS	Yes	6.5	Network	Low	None	None	Un- changed	Low	Low	None	3.0, 3.1, 3.2
CVE-2015-3183	SPARC Enterprise M3000, M4000, M5000, M8000, M9000 Servers	XCP Firmware	HTTP	Yes	6.5	Network	Low	None	Required	Un- changed	None	High	None	XCP prior to XCP1121
CVE-2015-8104	Solaris	Solaris Kernel Zones	None	No	6.5	Local	Low	Low	None	Changed	None	None	High	11.3
CVE-2016-5454	Solaris	Verified Boot	None	No	6.4	Local	High	Low	None	Changed	None	Low	High	11.3
CVE-2015-3197	40G 10G 72/64 Ethernet Switch	Firmware	SSL/TLS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	2.0.0
CVE-2015-3197	Oracle Switch ES1-24	Firmware	SSL/TLS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	1.3
CVE-2015-3197	Sun Blade 6000 Ethernet Switched NEM 24P 10GE	Firmware	SSL/TLS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	1.2
CVE-2015-3197	Sun Network 10GE Switch 72p	Firmware	SSL/TLS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	1.2
CVE-2016-3453	Solaris	Kernel	None	No	5.5	Local	Low	Low	None	Un- changed	None	None	High	10
CVE-2016-3497	Solaris	Kernel	None	No	5.5	Local	Low	Low	None	Un- changed	None	None	High	11.3
CVE-2016-5469	Solaris	Kernel	None	No	5.5	Local	Low	Low	None	Un- changed	None	None	High	11.3
CVE-2016-5471	Solaris	Kernel	None	No	5.5	Local	Low	Low	None	Un- changed	None	None	High	11.3
CVE-2016-5452	Solaris	Verified Boot	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	11.3
CVE-2013-2566	Fujitsu M10-1, M10-4, M10-4S Servers	XCP Firmware	SSL/TLS	Yes	5.3	Network	High	None	Required	Un- changed	High	None	None	XCP prior to XCP2280
CVE-2016-0800	Fujitsu M10-1, M10-4, M10-4S Servers	XCP Firmware	SSL/TLS	Yes	5.3	Network	High	None	Required	Un- changed	High	None	None	XCP prior to XCP2320
CVE-2015-2808	SPARC Enterprise M3000, M4000, M5000, M8000, M9000 Servers	XCP Firmware	SSL/TLS	Yes	5.3	Network	High	None	Required	Un- changed	High	None	None	XCP prior to XCP1121
CVE-2016-3451	ILOM	Web	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	3.0, 3.1, 3.2
CVE-2016-3480	Solaris Cluster	HA for Postgresql	None	No	4.4	Local	Low	High	None	Un- changed	High	None	None	3.3, 4.3
CVE-2014-3566	Sun Data Center InfiniBand Switch 36	Firmware	HTTPS	Yes	3.1	Network	High	None	Required	Un- changed	Low	None	None	Versions prior to 2.2.2
CVE-2014-3566	Sun Network QDR InfiniBand Gateway Switch	Firmware	HTTPS	Yes	3.1	Network	High	None	Required	Un- changed	Low	None	None	Versions prior to 2.2.2

Appendix - Oracle Linux and Virtualization

Oracle Virtualization Executive Summary

This Critical Patch Update contains 4 new security fixes for Oracle Virtualization. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle Virtualization Risk Matrix

CVE#	Component	Sub- component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Sub- component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2016-3613	Oracle Secure Global Desktop	OpenSSL	SSL/TLS	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	4.63, 4.71, 5.2
CVE-2013-2064	Oracle Secure Global Desktop	X Server	X11	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	4.71, 5.2
CVE-2016-3612	Oracle VM VirtualBox	Core	SSL/TLS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	VirtualBox prior to 5.0.22
CVE-2016-3597	Oracle VM VirtualBox	Core	None	No	5.5	Local	Low	Low	None	Un- changed	None	None	High	VirtualBox prior to 5.0.26

Additional CVEs addressed:

The fix for CVE-2016-3612 also addresses CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2109, and CVE-2016-2176.
The fix for CVE-2016-3613 also addresses CVE-2015-3193, CVE-2015-3194, CVE-2016-0702, CVE-2016-0797, CVE-2016-0799, CVE-2016-2105, and CVE-2016-2107.

Appendix - Oracle MySQL

Oracle MySQL Executive Summary

This Critical Patch Update contains 22 new security fixes for Oracle MySQL. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.

Oracle MySQL Risk Matrix

CVE#	Component	Sub- component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Sub- component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2016-3477	MySQL Server	Server: Parser	None	No	8.1	Local	High	None	None	Changed	High	High	High	5.5.49 and earlier, 5.6.30 and earlier, 5.7.12 and earlier
CVE-2016-3440	MySQL Server	Server: Optimizer	MySQL Protocol	No	7.7	Network	Low	Low	None	Changed	None	None	High	5.7.11 and earlier
CVE-2016-2105	MySQL Server	Server: Security: Encryption	MySQL Protocol	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	5.6.30 and earlier, 5.7.12 and earlier
CVE-2016-3471	MySQL Server	Server: Option	None	No	7.5	Local	High	High	None	Changed	High	High	High	5.5.45 and earlier, 5.6.26 and earlier
CVE-2016-3486	MySQL Server	Server: FTS	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.6.30 and earlier, 5.7.12 and earlier
CVE-2016-3501	MySQL Server	Server: Optimizer	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.6.30 and earlier, 5.7.12 and earlier
CVE-2016-3518	MySQL Server	Server: Optimizer	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.7.12 and earlier
CVE-2016-3521	MySQL Server	Server: Types	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.5.49 and earlier, 5.6.30 and earlier, 5.7.12 and earlier
CVE-2016-3588	MySQL Server	Server: InnoDB	MySQL Protocol	No	5.9	Network	High	Low	None	Un- changed	None	Low	High	5.7.12 and earlier
CVE-2016-3615	MySQL Server	Server: DML	MySQL Protocol	No	5.3	Network	High	Low	None	Un- changed	None	None	High	5.5.49 and earlier, 5.6.30 and earlier, 5.7.12 and earlier
CVE-2016-3614	MySQL Server	Server: Security: Encryption	MySQL Protocol	No	5.3	Network	High	Low	None	Un- changed	None	None	High	5.6.30 and earlier, 5.7.12 and earlier
CVE-2016-5436	MySQL Server	Server: InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.12 and earlier
CVE-2016-3459	MySQL Server	Server: InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.6.30 and earlier, 5.7.12 and earlier
CVE-2016-5437	MySQL Server	Server: Log	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.12 and earlier
CVE-2016-3424	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.12 and earlier
CVE-2016-5439	MySQL Server	Server: Privileges	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.6.30 and earlier, 5.7.12 and earlier
CVE-2016-5440	MySQL Server	Server: RBR	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.5.49 and earlier, 5.6.30 and earlier, 5.7.12 and earlier
CVE-2016-5441	MySQL Server	Server: Replication	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.12 and earlier
CVE-2016-5442	MySQL Server	Server: Security: Encryption	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.12 and earlier
CVE-2016-5443	MySQL Server	Server: Connection	None	No	4.7	Local	High	None	Required	Un- changed	None	None	High	5.7.12 and earlier
CVE-2016-5444	MySQL Server	Server: Connection	MySQL Protocol	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	5.5.48 and earlier, 5.6.29 and earlier, 5.7.11 and earlier
CVE-2016-3452	MySQL Server	Server: Security: Encryption	MySQL Protocol	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	5.5.48 and earlier, 5.6.29 and earlier, 5.7.10 and earlier

Additional CVEs addressed:

The fix for CVE-2016-2105 also addresses CVE-2016-2106.