Source

Oracle Critical Patch Update Advisory - January 2018

Description

A Critical Patch Update is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:

Critical Patch Updates and Security Alerts for information about Oracle Security Advisories.

The January 2018 Critical Patch Update provides fixes for certain Oracle products for the Spectre (CVE-2017-5753, CVE-2017-5715) and Meltdown (CVE-2017-5754) Intel processor vulnerabilities. Please refer to this Advisory and the Addendum to the January 2018 Critical Patch Update Advisory for Spectre and Meltdown MOS note (Doc ID 2347948.1).

Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay.

This Critical Patch Update contains 238 new security fixes across the product families listed below. Please note that a MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at January 2018 Critical Patch Update: Executive Summary and Analysis.

Affected Products and Patch Information

Security vulnerabilities addressed by this Critical Patch Update affect the products listed below. The product area is shown in the Patch Availability Document column. Please click on the links in the Patch Availability Document column below to access the documentation for patch availability information and installation instructions.

Affected Products and Versions	Patch Availability Document
Agile Material and Equipment Management for Pharmaceuticals, versions 9.3.3, 9.3.4	Oracle Supply Chain Products
Application Express, versions prior to 5.1.4.00.08	Database
Converged Commerce, version 16.0.1	Retail Applications
Hyperion BI+, version 11.1.2.4	Fusion Middleware
Hyperion Data Relationship Management, version 11.1.2.4.330	Fusion Middleware
Integrated Lights Out Manager (ILOM), versions 3.x, 4.x	Systems
Java Advanced Management Console, version 2.8	Java SE
Java ME SDK, version 8.3	Java ME
JD Edwards EnterpriseOne Tools, version 9.2	JD Edwards
MICROS Handheld Terminal, versions Prior to BSP 02.13.0701 (070116)	MICROS Handheld Terminal
MICROS Relate CRM Software, versions 10.8.x, 11.4.x	Retail Applications
MICROS Retail XBRi Loss Prevention, versions 10.0.1, 10.5.0, 10.6.0, 10.7.0, 10.8.0, 10.8.1	Retail Applications
MySQL Connectors, versions 5.3.9 and prior, 6.9.9 and prior, 6.10.4 and prior	MySQL
MySQL Enterprise Monitor, versions 3.3.6.3293 and prior, 3.4.4.4226 and prior, 4.0.0.5135 and prior	MySQL
MySQL Server, versions 5.5.58 and prior, 5.6.38 and prior, 5.7.20 and prior	MySQL
Oracle Access Manager, versions 10.1.4.3.0, 11.1.2.3.0	Fusion Middleware
Oracle Agile Engineering Data Management, versions 6.1.3, 6.2.0, 6.2.1	Oracle Supply Chain Products
Oracle Agile PLM, versions 9.3.3, 9.3.4, 9.3.5, 9.3.6	Oracle Supply Chain Products
Oracle Agile PLM MCAD Connector, versions 3.3, 3.4, 3.5, 3.6	Oracle Supply Chain Products
Oracle Argus Safety, versions 7.x, 8.0.x, 8.1	Health Sciences
Oracle Autovue for Agile Product Lifecycle Management, versions 21.0.0, 21.0.1	Oracle Supply Chain Products
Oracle Banking Corporate Lending, versions 12.3.0, 12.4.0	Oracle Financial Services Applications
Oracle Banking Payments, versions 12.3.0, 12.4.0	Oracle Financial Services Applications
Oracle Business Intelligence Enterprise Edition, versions 11.1.1.7.0, 11.1.1.9.0, 12.2.1.2.0, 12.2.1.3.0	Fusion Middleware
Oracle Communications Application Session Controller, version 3.x	Oracle Communications Application Session Controller
Oracle Communications BRM - Elastic Charging Engine, version 7.5	Oracle Communications BRM - Elastic Charging Engine
Oracle Communications Convergent Charging Controller, version 6.0	Oracle Communications Convergent Charging Controller
Oracle Communications Network Charging and Control, version 6.0	Oracle Communications Network Charging and Control
Oracle Communications Order and Service Management, versions 7.2.4.1.x, 7.2.4.2.x, 7.3.0.1.x, 7.3.0.x.x	Oracle Communications Order and Service Management
Oracle Communications Services Gatekeeper, versions 5.1, 6.0	Oracle Communications Services Gatekeeper
Oracle Communications Unified Inventory Management, versions 7.2.4.2.x, 7.3	Oracle Communications Unified Inventory Management
Oracle Communications User Data Repository, versions 10.x, 12.x	Oracle Communications User Data Repository
Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.2.0.1	Database
Oracle Directory Server Enterprise Edition, version 11.1.1.7.0	Fusion Middleware
Oracle E-Business Suite, versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7	E-Business Suite
Oracle Endeca Information Discovery Integrator, versions 3.1.0, 3.2.0	Fusion Middleware
Oracle Financial Services Analytical Applications Infrastructure, versions 7.3.5.x, 8.0.x	Oracle Financial Services Analytical Applications Infrastructure
Oracle Financial Services Analytical Applications Reconciliation Framework, version 8.0.x	Oracle Financial Services Analytical Applications Reconciliation Framework
Oracle Financial Services Asset Liability Management, versions 6.1.x, 8.0.x	Oracle Financial Services Asset Liability Management
Oracle Financial Services Balance Sheet Planning, version 8.0.x	Oracle Financial Services Balance Sheet Planning
Oracle Financial Services Funds Transfer Pricing, versions 6.1.x, 8.0.x	Oracle Financial Services Funds Transfer Pricing
Oracle Financial Services Hedge Management and IFRS Valuations, version 8.0.x	Oracle Financial Services Hedge Management and IFRS Valuations
Oracle Financial Services Liquidity Risk Management, version 8.0.x	Oracle Financial Services Liquidity Risk Management
Oracle Financial Services Loan Loss Forecasting and Provisioning, version 8.0.x	Oracle Financial Services Loan Loss Forecasting and Provisioning
Oracle Financial Services Market Risk, version 8.0.x	Oracle Financial Services Market Risk
Oracle Financial Services Market Risk Measurement and Management, version 8.0.5	Oracle Financial Services Market Risk Mesurement and Management
Oracle Financial Services Price Creation and Discovery, version 8.0.5	Oracle Financial Services Price Creation And Discovery
Oracle Financial Services Profitability Management, versions 6.1.x, 8.0.x	Oracle Financial Services Profitability Management
Oracle FLEXCUBE Direct Banking, versions 12.0.2, 12.0.3	Oracle Financial Services Applications
Oracle FLEXCUBE Universal Banking, versions 11.3.0, 11.4.0, 11.5.0, 11.6.0, 11.7.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0	Oracle Financial Services Applications
Oracle Fusion Applications, versions 11.1.2 through 11.1.9	Fusion Applications
Oracle Fusion Middleware, versions 11.1.1.7, 11.1.1.9, 11.1.2.3, 12.1.3.0, 12.2.1.2, 12.2.1.3	Fusion Middleware
Oracle Health Sciences Empirica Inspections, version 1.0.1.1	Health Sciences
Oracle Health Sciences Empirica Signal, version 8.0.1.0	Health Sciences
Oracle Hospitality Cruise Dining Room Management, version 8.0.78	Oracle Hospitality Cruise Dining Room Management
Oracle Hospitality Cruise Fleet Management, version 9.0.4.0	Oracle Hospitality Cruise Fleet Management
Oracle Hospitality Cruise Shipboard Property Management System, version 7.3.874	Oracle Hospitality Cruise Shipboard Property Management System
Oracle Hospitality Guest Access, versions 4.2.0, 4.2.1	Oracle Hospitality Guest Access
Oracle Hospitality Labor Management, versions 8.5.1, 9.0.0	Oracle Hospitality Labor Management
Oracle Hospitality Reporting and Analytics, versions 8.5.1, 9.0.0	Oracle Hospitality Reporting and Analytics
Oracle Hospitality Simphony, versions 2.7, 2.8, 2.9	Oracle Hospitality Simphony
Oracle HTTP Server, versions 11.1.1.7.0, 11.1.1.9.0, 12.1.3.0.0, 12.2.1.2.0, 12.2.1.3.0	Fusion Middleware
Oracle Hyperion Planning, version 11.1.2.4.007	Fusion Middleware
Oracle Identity Manager, version 11.1.2.3.0	Fusion Middleware
Oracle Identity Manager Connector, versions 9.0.4.20.6, 9.0.4.21.0, 9.0.4.25.4	Fusion Middleware
Oracle Internet Directory, versions 11.1.1.7.0, 11.1.1.9.0, 12.2.1.3.0	Fusion Middleware
Oracle iPlanet Web Server, version 7.0	Fusion Middleware
Oracle Java SE, versions 6u171, 7u161, 8u152, 9.0.1	Java SE
Oracle Java SE Embedded, version 8u151	Java SE
Oracle JDeveloper, versions 11.1.1.2.4, 11.1.1.7.0, 11.1.1.7.1, 11.1.1.9.0, 11.1.2.4.0, 12.1.3.0.0, 12.2.1.2.0	Fusion Middleware
Oracle JRockit, version R28.3.16	Java SE
Oracle Mobile Security Suite, version 3.0.1	Fusion Middleware
Oracle Retail Assortment Planning, versions 14.1.3, 15.0.3, 16.0.1	Retail Applications
Oracle Retail Convenience and Fuel POS Software, version 2.1.132	Retail Applications
Oracle Retail Customer Management and Segmentation Foundation, versions 16.0.x	Retail Applications
Oracle Retail Fiscal Management, version 14.1	Retail Applications
Oracle Retail Merchandising System, version 16.0	Retail Applications
Oracle Retail Workforce Management, versions 1.60.7, 1.64.0	Retail Applications
Oracle Secure Global Desktop (SGD), version 5.3	Virtualization
Oracle Transportation Management, versions 6.2.11, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.4.1, 6.4.2, 6.4.3	Oracle Supply Chain Products
Oracle Tuxedo System and Applications Monitor, version 12.1.3.0.0	Fusion Middleware
Oracle VM VirtualBox, versions prior to 5.1.32, prior to 5.2.6	Virtualization
Oracle WebCenter Content, versions 11.1.1.9.0, 12.2.1.2.0, 12.2.1.3.0	Fusion Middleware
Oracle WebCenter Portal, versions 11.1.1.9.0, 12.2.1.2.0, 12.2.1.3.0	Fusion Middleware
Oracle WebCenter Sites, version 11.1.1.8.0	Fusion Middleware
Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.2.0, 12.2.1.3.0	Fusion Middleware
Oracle X86 Servers, versions SW 1.x, SW 2.x	Systems
OSS Support Tools, versions prior to 2.11.33	Support Tools
PeopleSoft Enterprise FIN Supply Chain Portal Pack Argentina, version 9.1	PeopleSoft
PeopleSoft Enterprise FIN Supply Chain Portal Pack Brazil, version 9.1	PeopleSoft
PeopleSoft Enterprise FSCM, version 9.2	PeopleSoft
PeopleSoft Enterprise HCM Human Resources, versions 9.1, 9.2	PeopleSoft
PeopleSoft Enterprise PeopleTools, versions 8.54, 8.55, 8.56	PeopleSoft
PeopleSoft Enterprise PRTL Interaction Hub, version 9.1.00	PeopleSoft
PeopleSoft Enterprise SCM eProcurement, versions 9.1, 9.2	PeopleSoft
PeopleSoft Enterprise SCM Purchasing, version 9.2	PeopleSoft
Primavera Unifier, versions 10.x, 15.x, 16.x, 17.x	Oracle Construction and Engineering Suite
Siebel Applications, versions 16.0, 17.0	Siebel
Solaris, versions 10, 11.3	Systems
Sun ZFS Storage Appliance Kit (AK), versions prior to 8.7.13	Systems

Note:

Vulnerabilities affecting Oracle Database and Oracle Fusion Middleware may affect Oracle Fusion Applications, so Oracle customers should refer to Oracle Fusion Applications Critical Patch Update Knowledge Document, My Oracle Support Note 1967316.1 for information on patches to be applied to Fusion Application environments.
Vulnerabilities affecting Oracle Solaris may affect Oracle ZFSSA so Oracle customers should refer to the Oracle and Sun Systems Product Suite Critical Patch Update Knowledge Document, My Oracle Support Note 2160904.1 for information on minimum revisions of security fixes required to resolve ZFSSA issues published in Critical Patch Updates and Solaris Third Party bulletins.
Users running Java SE with a browser can download the latest release from http://java.com. Users on the Windows and Mac OS X platforms can also use automatic updates to get the latest release.

Risk Matrix Content

Risk matrices list only security vulnerabilities that are newly fixed by the patches associated with this advisory. Risk matrices for previous security fixes can be found in previous Critical Patch Update advisories. An English text version of the risk matrices provided in this document is here.

Several vulnerabilities addressed in this Critical Patch Update affect multiple products. Each vulnerability is identified by a CVE# which is a unique identifier for a vulnerability. A vulnerability that affects multiple products will appear with the same CVE# in all risk matrices. A CVE# shown in italics indicates that this vulnerability impacts a different product, but also has impact on the product where the italicized CVE# is listed.

Security vulnerabilities are scored using CVSS version 3.0 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS version 3.0).

Oracle conducts an analysis of each security vulnerability addressed by a Critical Patch Update. Oracle does not disclose detailed information about this security analysis to customers, but the resulting Risk Matrix and associated documentation provide information about the type of vulnerability, the conditions required to exploit it, and the potential impact of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage. For more information, see Oracle vulnerability disclosure policies.

The protocol in the risk matrix implies that all of its secure variants (if applicable) are affected as well. For example, if HTTP is listed as an affected protocol, it implies that HTTPS (if applicable) is also affected. The secure variant of a protocol is listed in the risk matrix only if it is the only variant affected, e.g. HTTPS will typically be listed for vulnerabilities in SSL and TLS.

Workarounds

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible. Until you apply the Critical Patch Update fixes, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem.

Skipped Critical Patch Updates

Oracle strongly recommends that customers apply security fixes as soon as possible. For customers that have skipped one or more Critical Patch Updates and are concerned about products that do not have security fixes announced in this Critical Patch Update, please review previous Critical Patch Update advisories to determine appropriate actions.

Product Dependencies

Oracle products may have dependencies on other Oracle products. Hence security vulnerability fixes announced in this Critical Patch Update may affect one or more dependent Oracle products. For details regarding these dependencies and how to apply patches to dependent products, please refer to Patch Set Update and Critical Patch Update January 2018 Availability Document, My Oracle Support Note 2325393.1.

Critical Patch Update Supported Products and Versions

Patches released through the Critical Patch Update program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. We recommend that customers plan product upgrades to ensure that patches released through the Critical Patch Update program are available for the versions they are currently running.

Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Critical Patch Update. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.

Database, Fusion Middleware, and Oracle Enterprise Manager products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.

Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Critical Patch Update to Oracle:

Adam Willard of Blue Canopy: CVE-2018-2596, CVE-2018-2713
Allen Reese: CVE-2018-2599
Andrea Micalizzi aka rgod, working with Trend Micro's Zero Day Initiative: CVE-2018-2615, CVE-2018-2616, CVE-2018-2617
Apostolos Giannakidis of Waratek : CVE-2018-2677
Brandon Vincent: CVE-2018-2593
Dhiraj Mishra: CVE-2018-2715
Dmitrii Iudin aka @ret5et of ERPScan: CVE-2018-2605
Dmitry Chastuhin of ERPScan: CVE-2018-2636
Egidio Romano of Karma(In)Security: CVE-2018-2699
Florian Ohlms of Daimler TSS: CVE-2018-2574
Greg Hudson of MIT Kerberos team: CVE-2018-2629
Himanshu Mehta: CVE-2018-2569
Jeremy Buis of softwaresecured.com: CVE-2018-2625
John Page (hyp3rlinx): CVE-2017-10273
Juan Pablo Perez Etchegoyen of Onapsis: CVE-2018-2655, CVE-2018-2656
Lukasz Mikula: CVE-2017-10068, CVE-2018-2651, CVE-2018-2652, CVE-2018-2653, CVE-2018-2695
Lukasz Plonka of ING Services Polska: CVE-2018-2610
Marc Heuse: CVE-2018-2710
Marcin Wołoszyn of ING Services Polska: CVE-2018-2594, CVE-2018-2595
Marek Janiczek of Prevenity: CVE-2018-2733
Matej Tymes: CVE-2018-2579
Michal Rydlo: CVE-2018-2641
Mohammad Shah Bin Mohammad Esa of SEC Consult Vulnerability Lab: CVE-2018-2660, CVE-2018-2661
Mohammed Nazim Rafiq: CVE-2018-2674
Moritz Bechler: CVE-2018-2633, CVE-2018-2637
Niklas Baumstark: CVE-2018-2693, CVE-2018-2694
Niklas Baumstark via Beyond Security's SecuriTeam Secure Disclosure program: CVE-2018-2698
Paolo Stagno aka VoidSec: CVE-2018-2658, CVE-2018-2659
Red Hat Product Security: CVE-2018-2696, CVE-2018-2703
Reha Esen from VeraSafe.com: CVE-2018-2642, CVE-2018-2643, CVE-2018-2644
Reno Robert: CVE-2018-2676
Rohit Varude: CVE-2018-2630
Samandeep Singh of SEC Consult Vulnerability Lab: CVE-2018-2660, CVE-2018-2661
Sebastian Fuchs of NTT Security: CVE-2018-2631, CVE-2018-2662
Sherif Koussa of softwaresecured.com: CVE-2018-2625
Spyridon Chatzimichail of OTE Hellenic Telecommunications Organization S.A.: CVE-2018-2567, CVE-2018-2570, CVE-2018-2571
Sumit Khandelwal: CVE-2018-2711
Travis Emmert of Exodus Intelligence: CVE-2018-2601
Vasily Vasiliev of Trend Micro's Zero Day Initiative: CVE-2018-2685, CVE-2018-2686, CVE-2018-2687, CVE-2018-2688, CVE-2018-2689, CVE-2018-2690
Vijay Saindane: CVE-2018-2630
Zuozhi Fan: CVE-2018-2667, CVE-2018-2668

Security-In-Depth Contributors

Oracle acknowledges people who have contributed to our Security-In-Depth program (see FAQ). People are acknowledged for Security-In-Depth contributions if they provide information, observations or suggestions pertaining to security vulnerability issues that result in significant modification of Oracle code or documentation in future releases, but are not of such a critical nature that they are distributed in Critical Patch Updates.

In this Critical Patch Update Advisory, Oracle recognizes the following for contributions to Oracle's Security-In-Depth program.:

Adam Willard of Blue Canopy
Alexander Mirosh of Hewlett Packard Enterprise
Alvaro Munoz of Hewlett Packard Enterprise
Appidi Saikumar Reddy
Daniel Bleichenbacher of Google
Olaf Kummer of CoreMedia
SaifAllah benMassaoud (2 reports)

On-Line Presence Security Contributors

Oracle acknowledges people who have contributed to our On-Line Presence Security program (see FAQ). People are acknowledged for contributions relating to Oracle's on-line presence if they provide information, observations or suggestions pertaining to security-related issues that result in significant modification to Oracle's on-line external-facing systems.

For this quarter, Oracle recognizes the following for contributions to Oracle's On-Line Presence Security program:

Ali Wamim Khan
Cameron Dawe of Spam404.com (2 reports)
Chacko K Abraham
Cole Woods
Gourav Kumar Jha
Ifrah Iman
Joao F M Figueiredo
Kenan Can
Kenan Genc
Li ChaoHan Bon
Mohit Rawat (2 reports)
Muhammad Uwais
Richard Alviarez
Sergius Low Jun Kai
Sreedeep Ck Alavil of Kerala Police Cyber Dome Volunteers Commander
Ugur Can Atasoy
Unmesh Jore

Critical Patch Update Schedule

Critical Patch Updates are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

17 April 2018
17 July 2018
16 October 2018
15 January 2019

References

Modification History

Date	Note
2018-March-20	Rev 8. Credit Statement Update.
2018-March-1	Rev 7. Added note concerning patching of dependent Oracle products.
2018-February-12	Rev 6. Updated versions affected by CVE-2018-2575.
2018-February-05	Rev 5. On-Line Presence Security Contributors Update.
2018-January-22	Rev 4. Corrected list of additional CVEs associated with CVE-2016-2179 and CVE-2017-3732 in Fusion Middleware Risk Matrix and updated Credit Statement.
2018-January-19	Rev 3. Credit Statement Update.
2018-January-18	Rev 2. Clarify product naming and version for Retail product.
2018-January-16	Rev 1. Initial Release.

Oracle Database Server Risk Matrix

This Critical Patch Update contains 5 new security fixes for the Oracle Database Server. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 1 of these fixes is applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.

CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-10282	Core RDBMS	Create Session, Execute Catalog Role	Oracle Net	No	9.1	Network	Low	High	None	Changed	High	High	High	12.1.0.2, 12.2.0.1
CVE-2018-2680	Java VM	Create Session, Create Procedure	Multiple	Yes	8.3	Network	High	None	Required	Changed	High	High	High	11.2.0.4, 12.1.0.2, 12.2.0.1
CVE-2017-12617	WLM (Apache Tomcat)	None	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	12.2.0.1
CVE-2018-2699	Application Express	None	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	Prior to 5.1.4.00.08
CVE-2018-2575	Core RDBMS	Local Logon	Multiple	No	2.0	Network	High	High	Required	Un- changed	Low	None	None	11.2.0.4, 12.1.0.2, 12.2.0.1	See Note 1

Notes:

Applicable only to Windows platform.

Oracle Database Server Client-Only Installations

The following Oracle Database Server vulnerability included in this Critical Patch Update affects client-only installations: CVE-2018-2575.

Oracle Communications Applications Risk Matrix

This Critical Patch Update contains 10 new security fixes for Oracle Communications Applications. 8 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2015-3253	Oracle Communications BRM - Elastic Charging Engine	Security (Apache Groovy)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	7.5
CVE-2017-5645	Oracle Communications BRM - Elastic Charging Engine	Security (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	7.5
CVE-2017-5645	Oracle Communications Convergent Charging Controller	Notifications Gateway (Apache Log4j)	TCP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	6.0
CVE-2017-5645	Oracle Communications Network Charging and Control	Notifications Gateway (Apache Log4j)	TCP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	6.0
CVE-2017-5645	Oracle Communications Services Gatekeeper	Security (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	5.1, 6.0
CVE-2016-5385	Oracle Communications User Data Repository	Security (PM&C)	Multiple	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	10.x, 12.x
CVE-2018-2570	Oracle Communications Unified Inventory Management	Portal	HTTP	No	6.3	Network	Low	Low	None	Un- changed	Low	Low	Low	7.2.4.2.x, 7.3
CVE-2018-2567	Oracle Communications Order and Service Management	Portal	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	7.2.4.1.x, 7.2.4.2.x, 7.3.0.x.x, 7.3.0.1.x
CVE-2013-2566	Oracle Communications Application Session Controller	Security	TLS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	3.x
CVE-2018-2571	Oracle Communications Unified Inventory Management	Portal	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	7.2.4.2.x, 7.3

Additional CVEs addressed are below:

The fix for CVE-2013-2566 also addresses CVE-2015-2808.
The fix for CVE-2015-3253 also addresses CVE-2016-6814.
The fix for CVE-2016-5385 also addresses CVE-2016-2518, CVE-2016-2550, CVE-2016-4449, CVE-2016-5387 and CVE-2016-7977.

Oracle Construction and Engineering Suite Risk Matrix

This Critical Patch Update contains 1 new security fix for the Oracle Construction and Engineering Suite. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-2620	Primavera Unifier	Platform	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	10.x, 15.x, 16.x, 17.x

Oracle E-Business Suite Risk Matrix

This Critical Patch Update contains 7 new security fixes for the Oracle E-Business Suite. 4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security fixes are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle recommends that customers apply the January 2018 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Release 12 Critical Patch Update Knowledge Document (January 2018), My Oracle Support Note 2334374.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-2656	Oracle General Ledger	Data Manager Server	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-2655	Oracle Work in Process	Assemble/Configure to Order	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2017-3736	Application Server	Tech Stack (OpenSSL)	HTTPS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	12.1.3
CVE-2018-2691	Oracle User Management	Proxy User Delegation	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-2684	Oracle User Management	Registration Process	HTTP	No	4.9	Network	Low	High	None	Un- changed	High	None	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-2635	Oracle Application Object Library	Login	HTTP	Yes	4.8	Network	High	None	None	Un- changed	Low	Low	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2018-2580	Oracle Applications DBA	ADPatch	None	No	4.4	Local	Low	High	None	Un- changed	High	None	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7

Additional CVEs addressed are below:

The fix for CVE-2017-3736 also addresses CVE-2017-3735.

Oracle Financial Services Applications Risk Matrix

This Critical Patch Update contains 34 new security fixes for Oracle Financial Services Applications. 13 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-2706	Oracle Banking Corporate Lending	Core module	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	12.3.0, 12.4.0
CVE-2018-2705	Oracle Banking Payments	Payments Core	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	12.3.0, 12.4.0
CVE-2018-2648	Oracle FLEXCUBE Universal Banking	Infrastructure	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0
CVE-2018-2707	Oracle Banking Corporate Lending	Core module	HTTP	No	8.1	Network	Low	Low	None	Un- changed	None	High	High	12.3.0, 12.4.0
CVE-2018-2704	Oracle Banking Payments	Payments Core	HTTP	No	8.1	Network	Low	Low	None	Un- changed	None	High	High	12.3.0, 12.4.0
CVE-2018-2723	Oracle Financial Services Asset Liability Management	User Interface	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	6.1.x, 8.0.x
CVE-2018-2592	Oracle Financial Services Balance Sheet Planning	User Interface	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	8.0.x
CVE-2018-2729	Oracle Financial Services Funds Transfer Pricing	User Interface	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	6.1.x, 8.0.x
CVE-2018-2725	Oracle Financial Services Hedge Management and IFRS Valuations	User Interface	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	8.0.x
CVE-2018-2720	Oracle Financial Services Liquidity Risk Management	User Interface	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	8.0.x
CVE-2018-2724	Oracle Financial Services Loan Loss Forecasting and Provisioning	User Interface	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	8.0.x
CVE-2018-2726	Oracle Financial Services Market Risk	User Interface	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	8.0.x
CVE-2018-2727	Oracle Financial Services Market Risk Measurement and Management	User Interface	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	8.0.5
CVE-2018-2721	Oracle Financial Services Price Creation and Discovery	User Interface	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	8.0.5
CVE-2018-2679	Oracle Financial Services Profitability Management	User Interface	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	6.1.x, 8.0.x
CVE-2018-2649	Oracle FLEXCUBE Universal Banking	Infrastructure	HTTP	No	8.1	Network	Low	Low	None	Un- changed	None	High	High	11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0
CVE-2018-2660	Oracle Financial Services Analytical Applications Infrastructure	Core	HTTP	No	7.4	Network	Low	Low	None	Changed	Low	Low	Low	7.3.5.x, 8.0.x
CVE-2018-2661	Oracle Financial Services Analytical Applications Infrastructure	Core	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	7.3.5.x, 8.0.x
CVE-2018-2732	Oracle Financial Services Analytical Applications Reconciliation Framework	User Interface	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.x
CVE-2018-2692	Oracle Financial Services Asset Liability Management	User Interface	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	6.1.x, 8.0.x
CVE-2018-2626	Oracle Financial Services Balance Sheet Planning	User Interface	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.x
CVE-2018-2728	Oracle Financial Services Funds Transfer Pricing	User Interface	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	6.1.x, 8.0.x
CVE-2018-2719	Oracle Financial Services Hedge Management and IFRS Valuations	User Interface	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.x
CVE-2018-2682	Oracle Financial Services Liquidity Risk Management	User Interface	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.x
CVE-2018-2712	Oracle Financial Services Loan Loss Forecasting and Provisioning	User Interface	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.x
CVE-2018-2714	Oracle Financial Services Market Risk	User Interface	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.x
CVE-2018-2716	Oracle Financial Services Market Risk Measurement and Management	User Interface	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.5
CVE-2018-2722	Oracle Financial Services Price Creation and Discovery	User Interface	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.5
CVE-2018-2670	Oracle Financial Services Profitability Management	User Interface	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	6.1.x, 8.0.x
CVE-2018-2674	Oracle FLEXCUBE Direct Banking	Logoff	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.0.2, 12.0.3
CVE-2018-2630	Oracle FLEXCUBE Universal Banking	Security Management System	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	11.5.0, 11.6.0, 11.7.0
CVE-2018-2709	Oracle Banking Corporate Lending	Core module	HTTP	No	5.3	Network	High	Low	None	Un- changed	High	None	None	12.3.0, 12.4.0
CVE-2018-2708	Oracle Banking Payments	Payments Core	HTTP	No	5.3	Network	High	Low	None	Un- changed	High	None	None	12.3.0, 12.4.0
CVE-2018-2614	Oracle FLEXCUBE Universal Banking	Infrastructure	HTTP	No	5.3	Network	High	Low	None	Un- changed	High	None	None	11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0

Oracle Fusion Middleware Risk Matrix

This Critical Patch Update contains 27 new security fixes for Oracle Fusion Middleware. 21 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security fixes are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle recommends that customers apply the January 2018 Critical Patch Update to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update January 2018 Patch Availability Document for Oracle Products, My Oracle Support Note 2325393.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-10352	Oracle WebLogic Server	WLS - Web Services	HTTP	Yes	9.9	Network	Low	None	None	Changed	Low	Low	High	12.2.1.3.0
CVE-2017-5461	Oracle Directory Server Enterprise Edition	Admin Console (Sun Security Libraries)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.1.1.7.0
CVE-2017-5461	Oracle iPlanet Web Server	Security (NSS)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	7.0
CVE-2017-5645	Oracle WebLogic Server	Sample apps (Apache Log4j)	TCP/UDP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.3.6.0.0, 12.1.3.0.0, 12.2.1.2.0, 12.2.1.3.0
CVE-2016-0635	Oracle Identity Manager	Security	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	11.1.2.3.0
CVE-2015-7501	Oracle Identity Manager Connector	CA ACF2 (Apache Commons Collections)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	9.0.4.20.6, 9.0.4.21.0, 9.0.4.25.4
CVE-2015-7501	Oracle Identity Manager	Security (Apache Commons Collections)	HTTP	Yes	8.6	Network	Low	None	None	Un- changed	High	Low	Low	11.1.2.3.0
CVE-2017-10068	Oracle Business Intelligence Enterprise Edition	Analytics Web Dashboards	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.2.1.3.0
CVE-2018-2711	Oracle JDeveloper	Security Framework	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	11.1.1.2.4, 11.1.1.7.0, 11.1.1.7.1, 11.1.1.9.0, 12.1.3.0.0
CVE-2016-2107	Oracle Mobile Security Suite	Internal Development (OpenSSL)	HTTPS	Yes	8.2	Network	Low	None	None	Un- changed	Low	None	High	3.0.1
CVE-2018-2564	Oracle WebCenter Content	Content Server	HTTP	Yes	8.2	Network	Low	None	Required	Changed	Low	High	None	11.1.1.9.0
CVE-2018-2596	Oracle WebCenter Content	Content Server	HTTP	Yes	8.2	Network	Low	None	Required	Changed	Low	High	None	11.1.1.9.0, 12.2.1.2.0, 12.2.1.3.0
CVE-2016-1182	Oracle WebCenter Portal	Security Framework (Apache Struts 1)	HTTP	Yes	8.2	Network	Low	None	None	Un- changed	None	Low	High	11.1.1.9.0, 12.2.1.2.0, 12.2.1.3.0
CVE-2018-2713	Oracle WebCenter Portal	WebCenter Spaces Application	HTTP	Yes	8.2	Network	Low	None	Required	Changed	Low	High	None	11.1.1.9.0, 12.2.1.2.0, 12.2.1.3.0
CVE-2017-12617	Oracle Endeca Information Discovery Integrator	Other Issues (Apache Tomcat)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	3.1.0, 3.2.0
CVE-2017-12617	Oracle Tuxedo System and Applications Monitor	tsam-General (Apache Tomcat)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	12.1.3.0.0
CVE-2018-2601	Oracle Internet Directory	Oracle Directory Services Manager	HTTP	No	8.0	Network	High	High	None	Changed	High	High	High	11.1.1.7.0, 11.1.1.9.0, 12.2.1.3.0
CVE-2017-9798	Oracle HTTP Server	Web Listener	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	11.1.1.7.0, 11.1.1.9.0, 12.1.3.0.0, 12.2.1.2.0, 12.2.1.3.0
CVE-2015-7940	Oracle WebCenter Portal	Security Framework (Bouncy Castle Java package)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	11.1.1.9.0, 12.2.1.2.0, 12.2.1.3.0
CVE-2018-2715	Oracle Business Intelligence Enterprise Edition	BI Platform Security	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	12.2.1.2.0, 12.2.1.3.0
CVE-2017-10262	Oracle Access Manager	Web Server Plugin	HTTPS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	11.1.2.3.0
CVE-2017-3732	Oracle Access Manager	Web Server Plugin (OpenSSL)	HTTPS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	10.1.4.3.0
CVE-2016-2179	Oracle Business Intelligence Enterprise Edition	Analytics Server (OpenSSL)	HTTPS	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	11.1.1.7.0, 11.1.1.9.0, 12.2.1.2.0, 12.2.1.3.0
CVE-2018-2561	Oracle HTTP Server	Web Listener	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	11.1.1.7.0, 11.1.1.9.0, 12.1.3.0.0, 12.2.1.2.0, 12.2.1.3.0
CVE-2018-2625	Oracle WebLogic Server	Web Services	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.1.3.0.0, 12.2.1.3.0, 12.2.1.2.0
CVE-2017-10273	Oracle JDeveloper	Deployment	None	No	4.7	Local	High	High	Required	Changed	Low	Low	Low	11.1.1.7.0, 11.1.1.7.1, 11.1.1.9.0, 11.1.2.4.0, 12.1.3.0.0, 12.2.1.2.0
CVE-2018-2584	Oracle WebCenter Sites	Advanced UI	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	11.1.1.8.0

Additional CVEs addressed are below:

The fix for CVE-2015-7501 also addresses CVE-2015-4852.
The fix for CVE-2016-1182 also addresses CVE-2014-0114 and CVE-2016-1181.
The fix for CVE-2016-2107 also addresses CVE-2016-2105, CVE-2016-2106 and CVE-2016-2109.
The fix for CVE-2016-2179 also addresses CVE-2016-2107, CVE-2016-2177, CVE-2016-2178, CVE-2016-2180, CVE-2016-2181, CVE-2016-2182, CVE-2016-2183, CVE-2016-6302, CVE-2016-6303, CVE-2016-6304, CVE-2016-6306, CVE-2016-7052, CVE-2016-7055, CVE-2017-3731 and CVE-2017-3732.
The fix for CVE-2017-3732 also addresses CVE-2016-2177, CVE-2016-2178, CVE-2016-2180, CVE-2016-2181, CVE-2016-2182, CVE-2016-2183, CVE-2016-6302, CVE-2016-6303, CVE-2016-6304, CVE-2016-6306, CVE-2016-7052, CVE-2016-7055 and CVE-2017-3731.
The fix for CVE-2018-2561 also addresses CVE-2007-6750.

Oracle Health Sciences Applications Risk Matrix

This Critical Patch Update contains 7 new security fixes for Oracle Health Sciences Applications. 5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-2613	Oracle Argus Safety	Login	HTTP	Yes	8.2	Network	Low	None	None	Un- changed	High	Low	None	7.x, 8.0.x, 8.1
CVE-2018-2642	Oracle Argus Safety	File Upload	HTTP	No	6.5	Network	Low	Low	Required	Changed	Low	Low	Low	7.x, 8.0.x
CVE-2018-2643	Oracle Argus Safety	Case Selection	HTTP	No	6.4	Network	Low	Low	None	Changed	Low	Low	None	7.x, 8.0.x
CVE-2018-2644	Oracle Argus Safety	Worklist	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	7.x, 8.0.x, 8.1
CVE-2017-9072	Oracle Health Sciences Empirica Inspections	UI (Calendar)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	1.0.1.1
CVE-2017-9072	Oracle Health Sciences Empirica Signal	UI (Calendar)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.1.0
CVE-2017-12617	Oracle Health Sciences Empirica Inspections	Base (Apache Tomcat)	HTTP	Yes	4.8	Network	High	None	None	Un- changed	Low	Low	None	1.0.1.1

Additional CVEs addressed are below:

The fix for CVE-2017-12617 also addresses CVE-2017-5664.

Oracle Hospitality Applications Risk Matrix

This Critical Patch Update contains 21 new security fixes for Oracle Hospitality Applications. 15 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-2697	Oracle Hospitality Cruise Fleet Management	Emergency Response System	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	9.0.4.0
CVE-2017-0781	MICROS Handheld Terminal	MC40 Zebra Handheld unit	Bluetooth	Yes	8.8	Adjacent Network	Low	None	None	Un- changed	High	High	High	Prior to BSP 02.13.0701 (070116)
CVE-2018-2608	Oracle Hospitality Simphony	Security	HTTP	Yes	8.6	Network	Low	None	None	Changed	High	None	None	2.7
CVE-2018-2597	Oracle Hospitality Cruise Dining Room Management	SilverWhere	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	8.0.78
CVE-2018-2621	Oracle Hospitality Cruise Shipboard Property Management System	Mobile Gangway and Mustering	HTTP	Yes	8.2	Network	Low	None	None	Un- changed	High	Low	None	7.3.874
CVE-2017-13077	MICROS Handheld Terminal	MC40 Zebra Handheld unit	WiFi	Yes	8.1	Adjacent Network	Low	None	None	Un- changed	High	High	None	Prior to BSP 02.13.0701 (070116)
CVE-2017-12617	Oracle Hospitality Guest Access	Base (Apache Tomcat)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	4.2.0, 4.2.1
CVE-2018-2666	Oracle Hospitality Labor Management	Webservice Endpoint	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	8.5.1, 9.0.0
CVE-2018-2636	Oracle Hospitality Simphony	Security	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	2.7, 2.8, 2.9
CVE-2018-2701	Oracle Hospitality Cruise Fleet Management	Emergency Response System	HTTP	No	7.6	Network	Low	Low	Required	Changed	High	Low	None	9.0.4.0
CVE-2018-2700	Oracle Hospitality Cruise Fleet Management	Emergency Response System	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	9.0.4.0
CVE-2018-2604	Oracle Hospitality Guest Access	Base	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	4.2.1
CVE-2018-2589	Oracle Hospitality Simphony	Enterprise Server	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	2.7, 2.8, 2.9
CVE-2018-2672	Oracle Hospitality Simphony	POS	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	2.7, 2.8, 2.9
CVE-2018-2683	Oracle Hospitality Simphony	POS	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	2.7, 2.8, 2.9
CVE-2018-2650	Oracle Hospitality Reporting and Analytics	Report	HTTP	No	7.1	Network	Low	Low	None	Un- changed	Low	High	None	8.5.1, 9.0.0
CVE-2018-2619	Oracle Hospitality Simphony	Security	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	2.7
CVE-2018-2606	Oracle Hospitality Guest Access	Base	None	No	6.2	Local	Low	None	None	Un- changed	High	None	None	4.2.0, 4.2.1
CVE-2018-2669	Oracle Hospitality Reporting and Analytics	Report	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.5.1, 9.0.0
CVE-2018-2673	Oracle Hospitality Simphony	POS	HTTP	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	2.7, 2.8, 2.9
CVE-2018-2607	Oracle Hospitality Guest Access	Base	HTTP	No	4.9	Network	Low	High	None	Un- changed	None	None	High	4.2.1

Additional CVEs addressed are below:

The fix for CVE-2017-0781 also addresses CVE-2017-0782, CVE-2017-0783 and CVE-2017-0785.
The fix for CVE-2017-13077 also addresses CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081 and CVE-2017-13082.

Oracle Hyperion Risk Matrix

This Critical Patch Update contains 4 new security fixes for Oracle Hyperion. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-2733	Oracle Hyperion Planning	Security	HTTP	No	7.6	Network	High	High	Required	Changed	High	High	High	11.1.2.4.007
CVE-2018-2610	Hyperion Data Relationship Management	Access and security	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	11.1.2.4.330
CVE-2018-2594	Hyperion BI+	Foundation UI & Servlets	HTTP	No	4.3	Network	Low	High	Required	Un- changed	Low	Low	Low	11.1.2.4
CVE-2018-2595	Hyperion BI+	Foundation UI & Servlets	HTTP	No	4.3	Network	Low	High	Required	Un- changed	Low	Low	Low	11.1.2.4

Oracle Java Micro Edition Risk Matrix

This Critical Patch Update contains 1 new security fix for Oracle Java Micro Edition. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-2569	Java ME SDK	Installer	None	No	7.8	Local	Low	None	Required	Un- changed	High	High	High	8.3	See Note 1

Notes:

This applies to the Windows platform only.

Oracle Java SE Risk Matrix

This Critical Patch Update contains 21 new security fixes for Oracle Java SE. 18 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

The CVSS scores below assume that a user running a Java applet or Java Web Start application has administrator privileges (typical on Windows). When the user does not run with administrator privileges (typical on Solaris and Linux), the corresponding CVSS impact scores for Confidentiality, Integrity, and Availability are "Low" instead of "High", lowering the CVSS Base Score. For example, a Base Score of 9.6 becomes 7.1.

Users should only use the default Java Plug-in and Java Web Start from the latest JDK or JRE 8 releases.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-2638	Java SE	Deployment	Multiple	Yes	8.3	Network	High	None	Required	Changed	High	High	High	Java SE: 8u152, 9.0.1	See Note 1
CVE-2018-2639	Java SE	Deployment	Multiple	Yes	8.3	Network	High	None	Required	Changed	High	High	High	Java SE: 8u152, 9.0.1	See Note 1
CVE-2018-2633	Java SE, Java SE Embedded, JRockit	JNDI	Multiple	Yes	8.3	Network	High	None	Required	Changed	High	High	High	Java SE: 6u171, 7u161, 8u152, 9.0.1; Java SE Embedded: 8u151; JRockit: R28.3.16	See Note 2
CVE-2018-2627	Java SE	Installer	None	No	7.5	Local	High	Low	Required	Changed	High	High	High	Java SE: 8u152, 9.0.1	See Note 3
CVE-2018-2637	Java SE, Java SE Embedded, JRockit	JMX	Multiple	Yes	7.4	Network	High	None	None	Un- changed	High	High	None	Java SE: 6u171, 7u161, 8u152, 9.0.1; Java SE Embedded: 8u151; JRockit: R28.3.16	See Note 4
CVE-2018-2634	Java SE, Java SE Embedded	JGSS	Multiple	Yes	6.8	Network	High	None	None	Changed	High	None	None	Java SE: 7u161, 8u152, 9.0.1; Java SE Embedded: 8u151	See Note 1
CVE-2018-2582	Java SE, Java SE Embedded	Hotspot	Multiple	Yes	6.5	Network	Low	None	Required	Un- changed	None	High	None	Java SE: 8u152, 9.0.1; Java SE Embedded: 8u151	See Note 2
CVE-2018-2641	Java SE, Java SE Embedded	AWT	Multiple	Yes	6.1	Network	High	None	Required	Changed	None	High	None	Java SE: 6u171, 7u161, 8u152, 9.0.1; Java SE Embedded: 8u151	See Note 1
CVE-2018-2618	Java SE, Java SE Embedded, JRockit	JCE	Multiple	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	Java SE: 6u171, 7u161, 8u152, 9.0.1; Java SE Embedded: 8u151; JRockit: R28.3.16	See Note 2
CVE-2018-2629	Java SE, Java SE Embedded, JRockit	JGSS	Multiple	Yes	5.3	Network	High	None	Required	Un- changed	None	High	None	Java SE: 6u171, 7u161, 8u152, 9.0.1; Java SE Embedded: 8u151; JRockit: R28.3.16	See Note 2
CVE-2018-2603	Java SE, Java SE Embedded, JRockit	Libraries	Multiple	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	Java SE: 6u171, 7u161, 8u152, 9.0.1; Java SE Embedded: 8u151; JRockit: R28.3.16	See Note 2
CVE-2018-2657	Java SE, JRockit	Serialization	Multiple	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	Java SE: 6u171, 7u161; JRockit: R28.3.16	See Note 4
CVE-2018-2599	Java SE, Java SE Embedded, JRockit	JNDI	Multiple	Yes	4.8	Network	High	None	None	Un- changed	None	Low	Low	Java SE: 6u171, 7u161, 8u152, 9.0.1; Java SE Embedded: 8u151; JRockit: R28.3.16	See Note 2
CVE-2018-2581	Java SE	JavaFX	Multiple	Yes	4.7	Network	Low	None	Required	Changed	Low	None	None	Java SE: 7u161, 8u152, 9.0.1	See Note 1
CVE-2018-2602	Java SE, Java SE Embedded	I18n	None	No	4.5	Local	High	None	Required	Un- changed	Low	Low	Low	Java SE: 6u171, 7u161, 8u152, 9.0.1; Java SE Embedded: 8u151	See Note 1
CVE-2018-2677	Java SE, Java SE Embedded	AWT	Multiple	Yes	4.3	Network	Low	None	Required	Un- changed	None	None	Low	Java SE: 6u171, 7u161, 8u152, 9.0.1; Java SE Embedded: 8u151	See Note 1
CVE-2018-2678	Java SE, Java SE Embedded, JRockit	JNDI	Multiple	Yes	4.3	Network	Low	None	Required	Un- changed	None	None	Low	Java SE: 6u171, 7u161, 8u152, 9.0.1; Java SE Embedded: 8u151; JRockit: R28.3.16	See Note 2
CVE-2018-2588	Java SE, Java SE Embedded, JRockit	LDAP	Multiple	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	Java SE: 6u171, 7u161, 8u152, 9.0.1; Java SE Embedded: 8u151; JRockit: R28.3.16	See Note 2
CVE-2018-2663	Java SE, Java SE Embedded, JRockit	Libraries	Multiple	Yes	4.3	Network	Low	None	Required	Un- changed	None	None	Low	Java SE: 6u171, 7u161, 8u152, 9.0.1; Java SE Embedded: 8u151; JRockit: R28.3.16	See Note 2
CVE-2018-2675	Java Advanced Management Console	Server	Multiple	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	Java Advanced Management Console: 2.8
CVE-2018-2579	Java SE, Java SE Embedded, JRockit	Libraries	Multiple	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	Java SE: 6u171, 7u161, 8u152, 9.0.1; Java SE Embedded: 8u151; JRockit: R28.3.16	See Note 2

Notes:

This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
This vulnerability applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.
This vulnerability applies to the Windows installer only.
This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service.

Oracle JD Edwards Products Risk Matrix

This Critical Patch Update contains 2 new security fixes for Oracle JD Edwards Products. Both of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-2658	JD Edwards EnterpriseOne Tools	Web Runtime SEC	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.2
CVE-2018-2659	JD Edwards EnterpriseOne Tools	Web Runtime SEC	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.2

Oracle MySQL Risk Matrix

This Critical Patch Update contains 25 new security fixes for Oracle MySQL. 6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-12617	MySQL Enterprise Monitor	Monitoring: General (Apache Tomcat)	HTTPS (HTTP over TLS)	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	3.3.6.3293 and prior, 3.4.4.4226 and prior, 4.0.0.5135 and prior
CVE-2018-2585	MySQL Connectors	Connector/Net	MySQL Protocol	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	6.9.9 and prior, 6.10.4 and prior
CVE-2018-2696	MySQL Server	Server : Security : Privileges	MySQL Protocol	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	5.6.38 and prior, 5.7.20 and prior
CVE-2018-2562	MySQL Server	Server : Partition	MySQL Protocol	No	7.1	Network	Low	Low	None	Un- changed	None	Low	High	5.5.58 and prior, 5.6.38 and prior, 5.7.19 and prior
CVE-2018-2583	MySQL Server	Stored Procedure	MySQL Protocol	No	6.8	Network	Low	High	None	Changed	None	None	High	5.6.38 and prior, 5.7.20 and prior
CVE-2018-2612	MySQL Server	InnoDB	MySQL Protocol	No	6.5	Network	Low	High	None	Un- changed	None	High	High	5.6.38 and prior, 5.7.20 and prior
CVE-2018-2703	MySQL Server	Server : Security : Privileges	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.6.38 and prior, 5.7.20 and prior
CVE-2018-2622	MySQL Server	Server: DDL	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.5.58 and prior, 5.6.38 and prior, 5.7.20 and prior
CVE-2018-2573	MySQL Server	Server: GIS	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.6.38 and prior, 5.7.20 and prior
CVE-2018-2640	MySQL Server	Server: Optimizer	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.5.58 and prior, 5.6.38 and prior, 5.7.20 and prior
CVE-2018-2665	MySQL Server	Server: Optimizer	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.5.58 and prior, 5.6.38 and prior, 5.7.20 and prior
CVE-2018-2668	MySQL Server	Server: Optimizer	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.5.58 and prior, 5.6.38 and prior, 5.7.20 and prior
CVE-2017-3736	MySQL Connectors	Connector/ODBC (OpenSSL)	MySQL Protocol	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	5.3.9 and prior
CVE-2017-3736	MySQL Enterprise Monitor	Monitoring: General (OpenSSL)	HTTPS (HTTP over TLS)	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	3.3.6.3293 and prior, 3.4.4.4226 and prior, 4.0.0.5135 and prior
CVE-2017-3737	MySQL Server	Server: Packaging (OpenSSL)	MySQL Protocol	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	5.6.38 and prior, 5.7.20 and prior
CVE-2018-2647	MySQL Server	Server: Replication	MySQL Protocol	No	5.5	Network	Low	High	None	Un- changed	None	Low	High	5.6.38 and prior, 5.7.20 and prior
CVE-2018-2591	MySQL Server	Server : Partition	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.6.38 and prior, 5.7.19 and prior
CVE-2018-2576	MySQL Server	Server: DML	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.20 and prior
CVE-2018-2586	MySQL Server	Server: DML	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.20 and prior
CVE-2018-2646	MySQL Server	Server: DML	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.20 and prior
CVE-2018-2565	MySQL Server	Server: InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.20 and prior
CVE-2018-2600	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.20 and prior
CVE-2018-2667	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.20 and prior
CVE-2018-2590	MySQL Server	Server: Performance Schema	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.6.38 and prior, 5.7.20 and prior
CVE-2018-2645	MySQL Server	Server: Performance Schema	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	High	None	None	5.6.38 and prior, 5.7.20 and prior

Additional CVEs addressed are below:

The fix for CVE-2017-3736 also addresses CVE-2017-3735.
The fix for CVE-2017-3737 also addresses CVE-2017-3738.

Oracle PeopleSoft Products Risk Matrix

This Critical Patch Update contains 15 new security fixes for Oracle PeopleSoft Products. 8 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-5645	PeopleSoft Enterprise FIN Supply Chain Portal Pack Argentina	Supply Chain Portal Pack (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	9.1
CVE-2017-5645	PeopleSoft Enterprise FIN Supply Chain Portal Pack Brazil	Supply Chain Portal Pack (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	9.1
CVE-2018-2593	PeopleSoft Enterprise PeopleTools	PIA Core Technology	HTTP	Yes	8.8	Network	Low	None	Required	Un- changed	High	High	High	8.54, 8.55, 8.56
CVE-2017-10301	PeopleSoft Enterprise PRTL Interaction Hub	Enterprise Portal	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	9.1.00
CVE-2015-7940	PeopleSoft Enterprise HCM Human Resources	Install (Bouncy Castle Java package)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	9.1, 9.2
CVE-2018-2652	PeopleSoft Enterprise PeopleTools	Integration Broker	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	8.54, 8.55, 8.56
CVE-2018-2651	PeopleSoft Enterprise PeopleTools	XML Publisher	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	8.54, 8.55, 8.56
CVE-2018-2702	PeopleSoft Enterprise FSCM	Strategic Sourcing	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	9.2
CVE-2018-2605	PeopleSoft Enterprise PeopleTools	Integration Broker	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	8.54, 8.55, 8.56
CVE-2018-2695	PeopleSoft Enterprise PeopleTools	Query	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	8.54, 8.55, 8.56
CVE-2018-2671	PeopleSoft Enterprise SCM Purchasing	Supplier Registration	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	9.2
CVE-2018-2654	PeopleSoft Enterprise HCM Human Resources	Company Dir / Org Chart Viewer	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.2
CVE-2018-2681	PeopleSoft Enterprise HCM Human Resources	Security	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	9.2
CVE-2018-2731	PeopleSoft Enterprise SCM eProcurement	Manage Requisition Status	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	9.1, 9.2
CVE-2018-2653	PeopleSoft Enterprise PeopleTools	Connected Query	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.54, 8.55, 8.56

Oracle Retail Applications Risk Matrix

This Critical Patch Update contains 12 new security fixes for Oracle Retail Applications. 9 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-5645	MICROS Relate CRM Software	Internal Operations (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.8.x, 11.4.x
CVE-2017-5645	MICROS Retail XBRi Loss Prevention	Retail (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.0.1, 10.5.0, 10.6.0, 10.7.0, 10.8.0, 10.8.1
CVE-2017-5645	Oracle Retail Assortment Planning	Application Core (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	14.1.3, 15.0.3, 16.0.1
CVE-2017-5645	Oracle Retail Convenience and Fuel POS Software	OPT Server (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	2.1.132
CVE-2017-5645	Oracle Retail Customer Management and Segmentation Foundation	Internal Operations (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	16.0.x
CVE-2017-5645	Oracle Retail Fiscal Management	NF Issuing (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	14.1
CVE-2017-5645	Oracle Retail Workforce Management	Configuration Issues (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	1.60.7, 1.64.0
CVE-2016-0635	Converged Commerce	Foundation Data	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	16.0.1
CVE-2016-9878	Oracle Retail Assortment Planning	Operations & Maintenance (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	14.1.3, 15.0.3, 16.0.1
CVE-2017-12617	MICROS Retail XBRi Loss Prevention	Retail (Apache Tomcat)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	10.0.1, 10.5.0, 10.6.0, 10.7.0, 10.8.0, 10.8.1
CVE-2017-5664	MICROS Relate CRM Software	Web Services (Apache Tomcat)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	10.8.x, 11.4.x
CVE-2018-2730	Oracle Retail Merchandising System	Cross Pillar	HTTP	No	6.4	Network	Low	Low	None	Changed	Low	Low	None	16.0

Additional CVEs addressed are below:

The fix for CVE-2017-5664 also addresses CVE-2016-8735.

Oracle Siebel CRM Risk Matrix

This Critical Patch Update contains 2 new security fixes for Oracle Siebel CRM. Neither of these vulnerabilities may be remotely exploitable without authentication, i.e., neither may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-2574	Siebel CRM Desktop	Outlook Client	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	16.0, 17.0
CVE-2018-2632	Siebel Engineering - Installer & Deployment	Siebel Approval Manager	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	16.0, 17.0

Oracle Sun Systems Products Suite Risk Matrix

This Critical Patch Update contains 13 new security fixes for the Oracle Sun Systems Products Suite. 7 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-2611	Sun ZFS Storage Appliance Kit (AK)	Core Services	HTTP	Yes	10.0	Network	Low	None	None	Changed	High	High	High	Prior to 8.7.13
CVE-2018-2623	Sun ZFS Storage Appliance Kit (AK)	User Interface	HTTP	Yes	9.3	Network	Low	None	None	Changed	High	Low	None	Prior to 8.7.13
CVE-2018-2664	Sun ZFS Storage Appliance Kit (AK)	User Interface	HTTP	Yes	9.0	Network	High	None	None	Changed	High	High	High	Prior to 8.7.13
CVE-2018-2624	Sun ZFS Storage Appliance Kit (AK)	User Interface	HTTP	Yes	8.6	Network	Low	None	None	Changed	High	None	None	Prior to 8.7.13
CVE-2016-0704	Integrated Lights Out Manager (ILOM)	System Management (Glibc, OpenSSL)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	3.x, 4.x
CVE-2018-2566	Integrated Lights Out Manager (ILOM)	Remote Console Application	TLS	No	7.7	Network	High	Low	Required	Changed	High	High	None	3.x, 4.x
CVE-2018-2710	Solaris	Kernel	ICMP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	10
CVE-2018-2568	Integrated Lights Out Manager (ILOM)	Remote Console Application	TLS	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	3.x, 4.x
CVE-2018-2578	Solaris	Kernel	None	No	7.2	Local	High	High	Required	Changed	High	High	High	11.3
CVE-2018-2717	Solaris	SPARC Platform	None	No	6.6	Local	Low	Low	Required	Un- changed	High	High	None	10, 11.3
CVE-2017-5715	Oracle X86 Servers	BIOS	None	No	5.6	Local	High	Low	None	Changed	High	None	None	SW 1.x, SW 2.x	See Note 1
CVE-2018-2577	Solaris	Kernel	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	11.3
CVE-2018-2560	Solaris	Kernel	None	No	5.0	Local	High	High	Required	Changed	High	None	None	11.3

Notes:

This includes Intel microcode that enables OS and VM level mitigations for CVE-2017-5715. Application of firmware patches to pick up the Intel microcode is required only for Oracle x86 servers using non Oracle OS and Virtualization software. Oracle OS and Oracle VM patches for CVE-2017-5715 will include updated Intel microcode.

Additional CVEs addressed are below:

The fix for CVE-2016-0704 also addresses CVE-2014-7817, CVE-2014-9402, CVE-2015-0293, CVE-2015-1472, CVE-2015-3195, CVE-2015-7547, CVE-2016-0703 and CVE-2016-0800.

Oracle Supply Chain Products Suite Risk Matrix

This Critical Patch Update contains 14 new security fixes for the Oracle Supply Chain Products Suite. 12 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-5645	Agile Material and Equipment Management for Pharmaceuticals	Administration (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	9.3.3, 9.3.4
CVE-2017-5645	Oracle Agile Engineering Data Management	Internal Operations (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	6.1.3, 6.2.0, 6.2.1
CVE-2017-5645	Oracle Agile PLM	Security (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	9.3.3, 9.3.4, 9.3.5, 9.3.6
CVE-2017-5645	Oracle Agile PLM MCAD Connector	CAX Client (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	3.3, 3.4, 3.5, 3.6
CVE-2017-5645	Oracle Autovue for Agile Product Lifecycle Management	Internal Operations (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	21.0.0, 21.0.1
CVE-2017-5645	Oracle Transportation Management	Business Process Automation (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	6.2.11, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.4.1
CVE-2017-5645	Oracle Transportation Management	Importing and Exporting Data (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.4.1, 6.4.2
CVE-2017-12617	Oracle Agile PLM	Folders, Files & Attachments (Apache Tomcat)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	9.3.3, 9.3.4, 9.3.5, 9.3.6
CVE-2017-12617	Oracle Transportation Management	Install (Apache Tomcat)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7
CVE-2017-5664	Oracle Agile Engineering Data Management	Install (Apache Tomcat)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	6.1.3, 6.2.0, 6.2.1
CVE-2017-5664	Oracle Agile PLM	Folders, Files & Attachments (Apache Tomcat)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	High	None	9.3.5, 9.3.6
CVE-2018-2609	Oracle Agile PLM	Security	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.3.5, 9.3.6
CVE-2018-2662	Oracle Transportation Management	Security	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	6.2.11, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.4.1
CVE-2018-2631	Oracle Transportation Management	Security	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	6.2.11, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.4.1, 6.4.2, 6.4.3

Additional CVEs addressed are below:

The fix for CVE-2017-5664 also addresses CVE-2016-8735.

Oracle Support Tools Risk Matrix

This Critical Patch Update contains 3 new security fixes for Oracle Support Tools. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-2615	OSS Support Tools	Diagnostic Assistant	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	Prior to 2.11.33
CVE-2018-2616	OSS Support Tools	Diagnostic Assistant	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	Prior to 2.11.33
CVE-2018-2617	OSS Support Tools	Diagnostic Assistant	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	Prior to 2.11.33

Oracle Virtualization Risk Matrix

This Critical Patch Update contains 14 new security fixes for Oracle Virtualization. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-5645	Oracle Secure Global Desktop (SGD)	Core (Apache Log4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	5.3
CVE-2018-2694	Oracle VM VirtualBox	Core	None	No	8.8	Local	Low	Low	None	Changed	High	High	High	Prior to 5.1.32, Prior to 5.2.6
CVE-2018-2698	Oracle VM VirtualBox	Core	None	No	8.8	Local	Low	Low	None	Changed	High	High	High	Prior to 5.1.32, Prior to 5.2.6
CVE-2018-2685	Oracle VM VirtualBox	Core	None	No	8.6	Local	Low	None	Required	Changed	High	High	High	Prior to 5.1.32, Prior to 5.2.6
CVE-2018-2686	Oracle VM VirtualBox	Core	None	No	8.6	Local	Low	None	Required	Changed	High	High	High	Prior to 5.1.32, Prior to 5.2.6
CVE-2018-2687	Oracle VM VirtualBox	Core	None	No	8.6	Local	Low	None	Required	Changed	High	High	High	Prior to 5.1.32, Prior to 5.2.6
CVE-2018-2688	Oracle VM VirtualBox	Core	None	No	8.6	Local	Low	None	Required	Changed	High	High	High	Prior to 5.1.32, Prior to 5.2.6
CVE-2018-2689	Oracle VM VirtualBox	Core	None	No	8.6	Local	Low	None	Required	Changed	High	High	High	Prior to 5.1.32, Prior to 5.2.6
CVE-2018-2690	Oracle VM VirtualBox	Core	None	No	8.6	Local	Low	None	Required	Changed	High	High	High	Prior to 5.1.32, Prior to 5.2.6
CVE-2018-2676	Oracle VM VirtualBox	Core	None	No	8.2	Local	Low	High	None	Changed	High	High	High	Prior to 5.1.32, Prior to 5.2.6
CVE-2018-2693	Oracle VM VirtualBox	Guest Additions	None	No	8.2	Local	Low	Low	Required	Changed	High	High	High	Prior to 5.1.32, Prior to 5.2.6
CVE-2017-3736	Oracle Secure Global Desktop (SGD)	Core (OpenSSL)	TLS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	5.3
CVE-2017-3736	Oracle VM VirtualBox	Core (OpenSSL)	TLS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	Prior to 5.1.32, Prior to 5.2.4
CVE-2017-5715	Oracle VM VirtualBox	Core	None	No	5.6	Local	High	Low	None	Changed	High	None	None	Prior to 5.1.32, Prior to 5.2.6

Additional CVEs addressed are below:

The fix for CVE-2017-3736 also addresses CVE-2017-3735.