2017年10月 oracle 关键补丁更新

于 2017-10-31 09:24:02 发布
阅读量5.4k 收藏
点赞数 1
分类专栏: oracle

注:本文出自http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html

             检查你的系统,是否打了最新的补丁。。。。。。。。。。。。。微笑微笑

Oracle Critical Patch Update Advisory - October 2017

Description

A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:

Critical Patch Updates and Security Alerts for information about Oracle Security Advisories.

Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay.

This Critical Patch Update contains 252 new security fixes across the product families listed below. Please note that a MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at October 2017 Critical Patch Update: Executive Summary and Analysis.

Please note that on September 22, 2017, Oracle released Security Alert for CVE-2017-9805. Customers of affected Oracle product(s) are strongly advised to apply the fixes that were announced in this Security Alert as well as those contained in this Critical Patch update

This Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available here.

Affected Products and Components

Security vulnerabilities addressed by this Critical Patch Update affect the products listed below. The product area of the patches for the listed versions is shown in the Patch Availability column corresponding to the specified Affected Products and Versions column. Please click on the link in the Patch Availability column below to access the documentation for patch availability information and installation instructions.

For an overview of the Oracle product documentation related to this Critical Patch Update, please refer to the Oracle Critical Patch Update October 2017 Documentation Map,My Oracle Support Note.

The list of affected product releases and versions that are in Premier Support or Extended Support, under the Oracle Lifetime Support Policy is as follows:

Affected Products and VersionsPatch Availability
Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers, versions prior to XCP2340 and prior to XCP3030Oracle and Sun Systems Products Suite
Java Advanced Management Console, version 2.7Oracle Java SE
JD Edwards EnterpriseOne Tools, version 9.2JD Edwards
JD Edwards World Security, versions A9.1, A9.2, A9.3, A9.4JD Edwards
Management Pack for Oracle GoldenGate, version 11.2.1.0.12Fusion Middleware
MICROS Retail XBRi Loss Prevention, versions 10.0.1, 10.5.0, 10.6.0, 10.7.7, 10.8.0, 10.8.1Retail Applications
MySQL Connectors, versions 6.9.9 and priorOracle MySQL Product Suite
MySQL Enterprise Monitor, versions 3.2.8.2223 and prior, 3.3.4.3247 and prior, 3.4.2.4181 and priorOracle MySQL Product Suite
MySQL Server, versions 5.5.57 and prior, 5.6.37 and prior, 5.7.19 and priorOracle MySQL Product Suite
Oracle Access Manager, version 11.1.2.3.0Fusion Middleware
Oracle Agile Engineering Data Management, versions 6.1.3, 6.2.0Oracle Supply Chain Products
Oracle Agile PLM, versions 9.3.5, 9.3.6Oracle Supply Chain Products
Oracle API Gateway, version 11.1.2.4.0Fusion Middleware
Oracle BI Publisher, versions 11.1.1.7.0, 11.1.1.9.0, 12.2.1.1.0, 12.2.1.2.0Fusion Middleware
Oracle Business Intelligence Enterprise Edition, versions 11.1.1.7.0, 11.1.1.9.0, 12.2.1.1.0, 12.2.1.2.0Fusion Middleware
Oracle Business Process Management Suite, versions 11.1.1.7.0, 11.1.1.9.0, 12.1.3.0.0, 12.2.1.1.0, 12.2.1.2.0Fusion Middleware
Oracle Communications Billing and Revenue Management, version 7.5Oracle Communications Billing and Revenue Management
Oracle Communications Diameter Signaling Router (DSR), version 7.xOracle Communications Diameter Signaling Router
Oracle Communications EAGLE LNP Application Processor, version 10.xOracle Communications EAGLE LNP Application Processor
Oracle Communications Messaging Server, version 8.xOracle Communications Messaging Server
Oracle Communications Order and Service Management, versions 7.2.4.x.x, 7.3.0.x.x, 7.3.1.x.x, 7.3.5.x.xOracle Communications Order and Service Management
Oracle Communications Policy Management, versions 11.5, 12.xOracle Communications Policy Management
Oracle Communications Services Gatekeeper, versions 5.1, 6.0Oracle Communications Services Gatekeeper
Oracle Communications Unified Session Manager, version SCz 7.xOracle Communications Unified Session Manager
Oracle Communications User Data Repository, version 10.xOracle Communications User Data Repository
Oracle Communications WebRTC Session Controller, versions 7.0, 7.1, 7.2Oracle Communications WebRTC Session Controller
Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.2.0.1Database
Oracle Directory Server Enterprise Edition, version 11.1.1.7.0Fusion Middleware
Oracle E-Business Suite, versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7E-Business Suite
Oracle Endeca Information Discovery Integrator, versions 2.4, 3.0, 3.1, 3.2Fusion Middleware
Oracle Engineering Data Management, versions 6.1.3.0, 6.2.2.0Oracle Supply Chain Products
Oracle Enterprise Manager Ops Center, versions 12.2.2, 12.3.2Enterprise Manager
Oracle FLEXCUBE Universal Banking, versions 11.3, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0Oracle Financial Services Applications
Oracle Fusion Applications, versions 11.1.2 through 11.1.9Fusion Applications
Oracle Fusion Middleware, versions 11.1.1.7, 11.1.1.9, 11.1.2.2, 11.1.2.3, 12.1.3.0, 12.2.1.1, 12.2.1.2, 12.2.1.3Fusion Middleware
Oracle GlassFish Server, versions 3.0.1, 3.1.2Fusion Middleware
Oracle Healthcare Master Person Index, version 4.xHealth Sciences
Oracle Hospitality Cruise AffairWhere, versions 2.2.5.0, 2.2.6.0, 2.2.7.0Oracle Hospitality Cruise AffairWhere
Oracle Hospitality Cruise Fleet Management, version 9.0.2.0Oracle Hospitality Cruise Fleet Management
Oracle Hospitality Cruise Materials Management, version 7.30.564.0Oracle Hospitality Cruise Materials Management
Oracle Hospitality Cruise Shipboard Property Management System, version 8.0.2.0Oracle Hospitality Cruise Shipboard Property Management System
Oracle Hospitality Guest Access, versions 4.2.0, 4.2.1Oracle Hospitality Guest Access
Oracle Hospitality Hotel Mobile, version 1.1Oracle Hospitality Hotel Mobile
Oracle Hospitality OPERA 5 Property Services, versions 5.4.2.x through 5.5.1.xOracle Hospitality OPERA 5 Property Services
Oracle Hospitality Reporting and Analytics, versions 8.5.1, 9.0.0Oracle Hospitality Reporting and Analytics
Oracle Hospitality Simphony, versions 2.6, 2.7, 2.8, 2.9Oracle Hospitality Simphony
Oracle Hospitality Suite8, versions 8.10.1, 8.10.2Oracle Hospitality Suite8
Oracle HTTP Server, versions 11.1.1.7.0, 11.1.1.9.0, 12.1.3.0.0, 12.2.1.1.0, 12.2.1.2.0Fusion Middleware
Oracle Hyperion BI+, version 11.1.2.4Fusion Middleware
Oracle Hyperion Financial Reporting, version 11.1.2Fusion Middleware
Oracle Identity Manager, version 11.1.2.3.0Fusion Middleware
Oracle Identity Manager Connector, version 9.1.1.5.0Fusion Middleware
Oracle Integrated Lights Out Manager (ILOM), versions prior to 3.2.6Oracle and Sun Systems Products Suite
Oracle iPlanet Web Server, version 7.0Fusion Middleware
Oracle Java SE, versions 6u161, 7u151, 8u144, 9Oracle Java SE
Oracle Java SE Embedded, version 8u144Oracle Java SE
Oracle JDeveloper, versions 12.1.3.0.0, 12.2.1.2.0Fusion Middleware
Oracle JRockit, version R28.3.15Oracle Java SE
Oracle Managed File Transfer, versions 12.1.3.0.0, 12.2.1.1.0, 12.2.1.2.0Fusion Middleware
Oracle Outside In Technology, version 8.5.3.0Fusion Middleware
Oracle Retail Back Office, versions 13.2, 13.3, 13.4, 14.0, 14.1Retail Applications
Oracle Retail Clearance Optimization Engine, version 13.4Retail Applications
Oracle Retail Convenience and Fuel POS Software, version 2.1.132Retail Applications
Oracle Retail Markdown Optimization, versions 13.4, 14.0Retail Applications
Oracle Retail Point-of-Service, versions 13.2, 13.3, 13.4, 14.0, 14.1Retail Applications
Oracle Retail Store Inventory Management, versions 13.2.9, 14.0.4, 14.1.3, 15.0.1, 16.0.1Retail Applications
Oracle Retail Xstore Point of Service, versions 6.0.11, 6.5.11, 7.0.6, 7.1.6, 15.0.1Retail Applications
Oracle Secure Global Desktop (SGD), version 5.3Oracle Linux and Virtualization
Oracle SOA Suite, version 11.1.1.7.0Fusion Middleware
Oracle Transportation Management, versions 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.4.1, 6.4.2Oracle Supply Chain Products
Oracle Virtual Directory, versions 11.1.1.7.0, 11.1.1.9.0Fusion Middleware
Oracle VM VirtualBox, versions prior to 5.1.30Oracle Linux and Virtualization
Oracle WebCenter Content, versions 11.1.1.9.0, 12.2.1.1.0, 12.2.1.2.0Fusion Middleware
Oracle WebCenter Sites, versions 11.1.1.8.0, 12.2.1.2.0Fusion Middleware
Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0, 12.2.1.2.0Fusion Middleware
PeopleSoft Enterprise FSCM, version 9.2PeopleSoft
PeopleSoft Enterprise HCM, version 9.2PeopleSoft
PeopleSoft Enterprise PeopleTools, versions 8.54, 8.55, 8.56PeopleSoft
PeopleSoft Enterprise PRTL Interaction Hub, version 9.1.00PeopleSoft
PeopleSoft Enterprise PT PeopleTools, versions 8.54, 8.55, 8.56PeopleSoft
PeopleSoft Enterprise SCM eProcurement, versions 9.1.00, 9.2.00PeopleSoft
Primavera Unifier, versions 9.13, 9.14, 10.x, 15.x, 16.xOracle Construction and Engineering Suite
Siebel Applications, versions 16.0, 17.0Siebel
Solaris Cluster, versions 3.3, 4.3Oracle and Sun Systems Products Suite
SPARC Enterprise M3000, M4000, M5000, M8000, M9000 Servers, versions prior to XCP 1123Oracle and Sun Systems Products Suite
SPARC M7, T7, S7 based Servers, versions prior to 9.7.6.bOracle and Sun Systems Products Suite
Sun ZFS Storage Appliance Kit (AK), version AK 2013Oracle and Sun Systems Products Suite
Tekelec HLR Router, version 4.xTekelec HLR Router

Note:
  • Vulnerabilities affecting Oracle Database and Oracle Fusion Middleware may affect Oracle Fusion Applications, so Oracle customers should refer to Oracle Fusion Applications Critical Patch Update Knowledge Document, My Oracle Support Note 1967316.1 for information on patches to be applied to Fusion Application environments.
  • Users running Java SE with a browser can download the latest release from http://java.com. Users on the Windows and Mac OS X platforms can also use automatic updates to get the latest release.
  • Vulnerabilities affecting Oracle Solaris may affect Oracle ZFSSA so Oracle customers should refer to the Oracle and Sun Systems Product Suite Critical Patch Update Knowledge Document, My Oracle Support Note 2160904.1 for information on minimum revisions of security fixes required to resolve ZFSSA issues published in Critical Patch Updates (CPUs) and Solaris Third Party bulletins.

Risk Matrix Content

Risk matrices list only security vulnerabilities that are newly fixed by the patches associated with this advisory. Risk matrices for previous security fixes can be found inprevious Critical Patch Update advisories. An English text version of the risk matrices provided in this document is here.

Several vulnerabilities addressed in this Critical Patch Update affect multiple products. Each vulnerability is identified by a CVE# which is a unique identifier for a vulnerability. A vulnerability that affects multiple products will appear with the same CVE# in all risk matrices. A CVE# shown in italics indicates that this vulnerability impacts a different product, but also has impact on the product where the italicized CVE# is listed.

Security vulnerabilities are scored using CVSS version 3.0 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS version 3.0).

Oracle conducts an analysis of each security vulnerability addressed by a Critical Patch Update (CPU). Oracle does not disclose detailed information about this security analysis to customers, but the resulting Risk Matrix and associated documentation provide information about the type of vulnerability, the conditions required to exploit it, and the potential impact of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage. For more information, see Oracle vulnerability disclosure policies.

The protocol in the risk matrix implies that all of its secure variants (if applicable) are affected as well. For example, if HTTP is listed as an affected protocol, it implies that HTTPS (if applicable) is also affected. The secure variant of a protocol is listed in the risk matrix only if it is the only variant affected, e.g. HTTPS will typically be listed for vulnerabilities in SSL and TLS.

Workarounds

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. Until you apply the CPU fixes, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem.

Skipped Critical Patch Updates

Oracle strongly recommends that customers apply security fixes as soon as possible. For customers that have skipped one or more Critical Patch Updates and are concerned about products that do not have security fixes announced in this CPU, please review previous Critical Patch Update advisories to determine appropriate actions.

Product Dependencies

Oracle products may have dependencies on other Oracle products. Hence security vulnerability fixes announced in this Critical Patch Update may affect one or more dependent Oracle products. For details regarding these dependencies and how to apply patches to dependent products, please refer to Patch Set Update and Critical Patch Update October 2017 Availability Document, My Oracle Support Note 2296870.1.

Critical Patch Update Supported Products and Versions

Patches released through the Critical Patch Update program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. We recommend that customers plan product upgrades to ensure that patches released through the Critical Patch Update program are available for the versions they are currently running.

Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Critical Patch Update. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.

Supported Database, Fusion Middleware, Oracle Enterprise Manager Base Platform (formerly "Oracle Enterprise Manager Grid Control") and Collaboration Suite products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.


Products in Extended Support

Patches released through the Critical Patch Update program are available to customers who have Extended Support under the Lifetime Support Policy. Customers must have a valid Extended Support service contract to download patches released through the Critical Patch Update program for products in the Extended Support Phase.

Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Critical Patch Update to Oracle:

  • Adam Willard of Blue Canopy: CVE-2017-10360
  • Alexey Tyurin of ERPScan: CVE-2017-10271
  • An Anonymous researcher via Beyond Security's SecuriTeam Secure Disclosure Program: CVE-2017-10355
  • Andrés Blanco of Onapsis: CVE-2017-10336
  • Behzad Najjarpour Jabbari, Secunia Research at Flexera Software: CVE-2017-10051
  • Charles Fol of Ambionics: CVE-2017-10362
  • Christopher Tarquini: CVE-2017-10268
  • Cris Neckar of Divergent Security: CVE-2017-10154
  • Daniel Ekberg of Swedish Public Employment Service: CVE-2017-10321
  • Daniel Fröjdendahl: CVE-2017-10293
  • David Litchfield of Apple: CVE-2017-10292
  • Devin Rosenbauer of Identity Works LLC: CVE-2017-10352
  • Dmitrii Iudin aka @ret5et of ERPScan: CVE-2017-10373
  • Fabio Pires of NCC Group: CVE-2017-10310, CVE-2017-10312
  • Federico Dotta of Media Service: CVE-2017-10271
  • Francesco Palmarini of Ca' Foscari University of Venice: CVE-2017-10345, CVE-2017-10356
  • Gaston Traberg of Onapsis: CVE-2017-10281, CVE-2017-10332, CVE-2017-10347, CVE-2017-3444, CVE-2017-3445, CVE-2017-3446
  • Hassan El Hadary - Secure Misr: CVE-2017-10363
  • Jakub Palaczynski of ING Services Polska: CVE-2017-10034
  • Jared McLaren of SecureWorks: CVE-2017-10259
  • Jeffrey Altman of Secure Endpoints Inc.: CVE-2017-10388
  • Joshua Graham of Datacom TSS: CVE-2017-10379
  • José Carlos Expósito Bueno of Internet Security Auditors: CVE-2017-10163
  • Juan Pablo Perez Etchegoyen of Onapsis: CVE-2017-10066, CVE-2017-10324, CVE-2017-10325, CVE-2017-10328, CVE-2017-10329, CVE-2017-10330, CVE-2017-10331, CVE-2017-10336
  • loopx9: CVE-2017-10352
  • Lukasz Mikula: CVE-2017-10060
  • Léa Nuel of NES: CVE-2017-10055
  • Marcin Wołoszyn of ING Services Polska: CVE-2017-10163, CVE-2017-10312, CVE-2017-10358, CVE-2017-10359
  • Marco Squarcina of Ca' Foscari University of Venice: CVE-2017-10345, CVE-2017-10356
  • Martin Doyhenard of Onapsis: CVE-2017-10322, CVE-2017-10326, CVE-2017-10332
  • Mathew Nash of NCC Group: CVE-2017-10310, CVE-2017-10312
  • Matias Mevied of Onapsis: CVE-2017-10323, CVE-2017-3444, CVE-2017-3445, CVE-2017-3446
  • Mauro Tempesta of Ca' Foscari University of Venice: CVE-2017-10345, CVE-2017-10356
  • Ming Yi Ang of SourceClear: CVE-2017-10385, CVE-2017-10391, CVE-2017-10393, CVE-2017-10400
  • Nikita Egorov of ERPScan: CVE-2017-10304, CVE-2017-10306
  • Orange Tsai: CVE-2017-10295
  • Owais Mehtab of IS: CVE-2017-10026, CVE-2017-10259
  • Reno Robert: CVE-2017-10392, CVE-2017-10407, CVE-2017-10408, CVE-2017-10428
  • Riccardo Focardi of Ca' Foscari University of Venice: CVE-2017-10345, CVE-2017-10356
  • Sebastian Cornejo of SIA Group: CVE-2017-10033
  • Spyridon Chatzimichail of OTE Hellenic Telecommunications Organization S.A.: CVE-2017-10152
  • Steven Seeley of Source Incite: CVE-2017-10309
  • Tamas Szakaly: CVE-2017-10309
  • Tayeeb Rana of IS: CVE-2017-10026, CVE-2017-10259
  • Tobias Ospelt of modzero: CVE-2017-10356
  • Tor Erling Bjorstad of Mnemonic AS: CVE-2017-10060
  • Travis Emmert of Exodus Intelligence: CVE-2017-10369
  • Travis Emmert of Synack Red Team: CVE-2017-10364
  • Tushar Parab: CVE-2017-10159
  • Vahagn Vardanyan of ERPScan: CVE-2017-10366, CVE-2017-10409, CVE-2017-10410, CVE-2017-10411, CVE-2017-10412, CVE-2017-10413, CVE-2017-10414, CVE-2017-10415, CVE-2017-10416, CVE-2017-10417
  • Vicente Motos of SIA Group: CVE-2017-10033
  • Zakaria Amous: CVE-2017-10261
Security-In-Depth Contributors

Oracle acknowledges people who have contributed to our Security-In-Depth program (see FAQ). People are acknowledged for Security-In-Depth contributions if they provide information, observations or suggestions pertaining to security vulnerability issues that result in significant modification of Oracle code or documentation in future releases, but are not of such a critical nature that they are distributed in Critical Patch Updates.

In this Critical Patch Update Advisory, Oracle recognizes the following for contributions to Oracle's Security-In-Depth program.:

  • Andreev Ivan
  • Ian Haken
  • Jayson Grace of Sandia National Laboratories
  • Juan Pablo Perez Etchegoyen of Onapsis
  • Mohammad Abdullah - ErrOr SquaD Bangladesh
  • Or Hanuka of Motorola Solutions
  • Steven Danneman of Security Innovation
  • Tansel ÇETİN
  • Tzachy Horesh of Motorola Solutions
On-Line Presence Security Contributors

Oracle acknowledges people who have contributed to our On-Line Presence Security program (see FAQ). People are acknowledged for contributions relating to Oracle's on-line presence if they provide information, observations or suggestions pertaining to security-related issues that result in significant modification to Oracle's on-line external-facing systems.

For this quarter, Oracle recognizes the following for contributions to Oracle's On-Line Presence Security program:

  • Abdelfattah Ibrahim
  • Abhineeti Singh
  • Adam Willard of Blue Canopy
  • Ahsan Khan
  • Ali Ardic
  • Athul Jayaram
  • Berk İmran
  • Doğukan Karaciğer
  • Emad Shanab of Emad Abou Shanab
  • Karthik Reddy
  • Krishna Manoj Vandavasi
  • Lecamen Nartatez
  • Muhammad Osama
  • Mushraf Mustafa (3 reports)
  • Pal Patel
  • S. Venkatesh
  • SaifAllah benMassaoud
  • Teemu Kääriäinen
  • Vinod Kurup
  • Yassine Nafiai
  • Çağatay Çalı

Critical Patch Update Schedule

Critical Patch Updates are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

  • 16 January 2018
  • 17 April 2018
  • 17 July 2018
  • 16 October 2018

References


Modification History

DateNote
2017-October-26Rev 3. Credit Statement Update; 
Affected versions update for CVE-2017-10065; 
CVSS score update for CVE-2017-10396.
2017-October-19Rev 2. Credit Statement Update.
2017-October-17Rev 1. Initial Release.

 

 

Appendix - Oracle Database Server

Oracle Database Server Executive Summary

This Critical Patch Update contains 6 new security fixes for the Oracle Database Server.  2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  None of these fixes are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.

Oracle Database Server Risk Matrix

CVE#ComponentPackage and/or Privilege RequiredProtocolRemote
Exploit
without
Auth.?		CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)Supported Versions AffectedNotes
Base
Score		Attack
Vector		Attack
Complex		Privs
Req'd		User
Interact		ScopeConfid-
entiality		Inte-
grity		Avail-
ability
CVE-2017-10321Core RDBMSCreate sessionOracle NetNo8.8LocalLowLowNoneChangedHighHighHigh11.2.0.4, 12.1.0.2, 12.2.0.1See Note 1
CVE-2016-6814Spatial (Apache Groovy)NoneMultipleYes8.3NetworkHighNoneRequiredChangedHighHighHigh12.2.0.1See Note 2
CVE-2017-10190Java VMCreate Session, Create ProcedureMultipleNo8.2LocalLowHighNoneChangedHighHighHigh11.2.0.4, 12.1.0.2, 12.2.0.1 
CVE-2016-8735WLM (Apache Tomcat)NoneMultipleYes8.1NetworkHighNoneNoneUn-
changed		HighHighHigh12.2.0.1 
CVE-2017-10261XML DatabaseCreate SessionOracle NetNo6.5LocalLowLowNoneChangedHighNoneNone11.2.0.4, 12.1.0.2See Note 3
CVE-2017-10292RDBMS SecurityCreate UserOracle NetNo2.3LocalLowHighNoneUn-
changed		NoneLowNone11.2.0.4, 12.1.0.2, 12.2.0.1 
 

Notes:

  1. This score is for Windows platform version 11.2.0.4 of Database. For Windows platform version 12.1.0.2 and Linux, the score is 7.8 with scope Unchanged.
  2. Component installed optionally. Not in the default installation.
  3. This score is for Windows platform version 11.2.0.4 of Database. For Windows platform version 12.1.0.2 and Linux, the score is 5.5 with scope Unchanged.

Additional CVEs addressed are below:

  • The fix for CVE-2016-8735 also addresses CVE-2016-6816 and CVE-2016-8745

 

Appendix - Oracle Communications Applications

Oracle Communications Applications Executive Summary

This Critical Patch Update contains 23 new security fixes for Oracle Communications Applications.  18 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

Oracle Communications Applications Risk Matrix

CVE#ProductComponentProtocolRemote
Exploit
without
Auth.?		CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)Supported Versions AffectedNotes
Base
Score		Attack
Vector		Attack
Complex		Privs
Req'd		User
Interact		ScopeConfid-
entiality		Inte-
grity		Avail-
ability
CVE-2017-5461Oracle Communications Messaging ServerSecurity (NSS)MultipleYes9.8NetworkLowNoneNoneUn-
changed		HighHighHigh8.x 
CVE-2016-5019Oracle Communications Services GatekeeperSecurity (Apache Trinidad)HTTPYes9.8NetworkLowNoneNoneUn-
changed		HighHighHigh5.1, 6.0 
CVE-2015-0235Oracle Communications User Data RepositorySecurity (glibc)MultipleYes9.8NetworkLowNoneNoneUn-
changed		HighHighHigh10.x 
CVE-2015-3253Oracle Communications WebRTC Session ControllerSecurity (Apache Groovy)HTTPYes9.8NetworkLowNoneNoneUn-
changed		HighHighHigh7.0, 7.1, 7.2 
CVE-2015-0235Oracle Communications WebRTC Session ControllerMedia (glibc)TLSYes9.8NetworkLowNoneNoneUn-
changed		HighHighHigh7.0, 7.1, 7.2 
CVE-2015-7501Oracle Communications WebRTC Session ControllerSecurity (Apache Commons Collections)HTTPNo8.8NetworkLowLowNoneUn-
changed		HighHighHigh7.0, 7.1, 7.2 
CVE-2016-0635Oracle Communications WebRTC Session ControllerSecurity (Spring)HTTPNo8.8NetworkLowLowNoneUn-
changed		HighHighHigh7.0, 7.1, 7.2 
CVE-2016-2107Oracle Communications WebRTC Session ControllerSecurity (OpenSSL)TLSYes8.2NetworkLowNoneNoneUn-
changed		LowNoneHigh7.0, 7.1, 7.2 
CVE-2014-0224Tekelec HLR RouterSecurity (OpenSSL)TLSYes8.1NetworkHighNoneNoneUn-
changed		HighHighHigh4.x 
CVE-2016-7052Oracle Communications Diameter Signaling Router (DSR)OAM and Signaling (OpenSSL)TLSYes7.5NetworkLowNoneNoneUn-
changed		NoneNoneHigh7.x 
CVE-2016-6304Oracle Communications Unified Session ManagerRouting (OpenSSL)TLSYes7.5NetworkLowNoneNoneUn-
changed		NoneNoneHighSCz 7.x 
CVE-2014-0114Oracle Communications WebRTC Session ControllerMedia (BeanUtils)HTTPYes7.3NetworkLowNoneNoneUn-
changed		LowLowLow7.0, 7.1, 7.2 
CVE-2014-0107Oracle Communications WebRTC Session ControllerSecurity (Xalan)HTTPYes7.3NetworkLowNoneNoneUn-
changed		LowLowLow7.0, 7.1, 7.2 
CVE-2014-4345Oracle Communications WebRTC Session ControllerSecurity (Kerberos)MultipleYes7.3NetworkLowNoneNoneUn-
changed		LowLowLow7.0, 7.1, 7.2 
CVE-2015-7501Oracle Communications Order and Service ManagementSecurity (Apache Commons Collections)MultipleYes7.1NetworkLowNoneRequiredChangedLowLowLow7.2.4.x.x, 7.3.0.x.x, 7.3.1.x.x, 7.3.5.x.x 
CVE-2016-2381Oracle Communications Billing and Revenue ManagementSecurity (Perl)MultipleNo6.5NetworkLowLowNoneUn-
changed		NoneHighNone7.5 
CVE-2017-10153Oracle Communications WebRTC Session ControllerSecurity (Gson)MultipleNo6.3NetworkHighLowNoneChangedNoneNoneHigh7.0, 7.1, 7.2 
CVE-2017-10159Oracle Communications Policy ManagementPortal, CMPHTTPYes6.1NetworkLowNoneRequiredChangedLowLowNone11.5, 12.x 
CVE-2017-3732Oracle Communications EAGLE LNP Application ProcessorPatches (OpenSSL)TLSYes5.9NetworkHighNoneNoneUn-
changed		HighNoneNone10.x 
CVE-2014-3538Oracle Communications WebRTC Session ControllerSecurity (file)HTTPYes5.3NetworkLowNoneNoneUn-
changed		NoneNoneLow7.0, 7.1, 7.2 
CVE-2014-8714Oracle Communications WebRTC Session ControllerSecurity (Wireshark)MultipleYes5.3NetworkLowNoneNoneUn-
changed		NoneNoneLow7.0, 7.1, 7.2 
CVE-2014-0062Oracle Communications WebRTC Session ControllerSecurity (Postgresql)MultipleNo4.2NetworkHighLowNoneUn-
changed		LowLowNone7.0, 7.1, 7.2 
CVE-2014-3707Oracle Communications WebRTC Session ControllerSecurity (libcurl)HTTPYes3.7NetworkHighNoneNoneUn-
changed		LowNoneNone7.0, 7.1, 7.2 
 

Additional CVEs addressed are below:

  • The fix for CVE-2014-0062 also addresses CVE-2014-0060
  • The fix for CVE-2014-0224 also addresses CVE-2014-0076, CVE-2014-0195, CVE-2014-0198, CVE-2014-0221, CVE-2014-3470 and CVE-2014-3571
  • The fix for CVE-2014-3538 also addresses CVE-2014-3587
  • The fix for CVE-2014-3707 also addresses CVE-2014-3613
  • The fix for CVE-2014-4345 also addresses CVE-2014-4342
  • The fix for CVE-2014-8714 also addresses CVE-2014-8713
  • The fix for CVE-2015-7501 also addresses CVE-2015-4582
  • The fix for CVE-2016-2107 also addresses CVE-2015-0207, CVE-2015-0208, CVE-2015-0209, CVE-2015-0285, CVE-2015-0286, CVE-2015-0287, CVE-2015-0288, CVE-2015-0289, CVE-2015-0290, CVE-2015-0291, CVE-2015-0292, CVE-2015-0293, CVE-2015-1787, CVE-2015-1793 and CVE-2015-3195
  • The fix for CVE-2016-6304 also addresses CVE-2016-2177, CVE-2016-2178, CVE-2016-2179, CVE-2016-2180, CVE-2016-2181, CVE-2016-2182, CVE-2016-2183, CVE-2016-6302, CVE-2016-6303 and CVE-2016-6306
  • The fix for CVE-2016-7052 also addresses CVE-2014-0224, CVE-2014-3569, CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275, CVE-2015-0204, CVE-2015-0205, CVE-2015-0206, CVE-2015-0207, CVE-2015-0208, CVE-2015-0209, CVE-2015-0285, CVE-2015-0286, CVE-2015-0287, CVE-2015-0288, CVE-2015-0289, CVE-2015-0290, CVE-2015-0291, CVE-2015-0292, CVE-2015-0293, CVE-2015-1787, CVE-2015-1788, CVE-2015-1789, CVE-2015-1790, CVE-2015-1791, CVE-2015-1792, CVE-2015-3193, CVE-2015-3194, CVE-2015-3195, CVE-2015-3196, CVE-2015-3197, CVE-2016-0701, CVE-2016-2177, CVE-2016-2178, CVE-2016-2179, CVE-2016-2180, CVE-2016-2181, CVE-2016-2182, CVE-2016-2183, CVE-2016-6302, CVE-2016-6303, CVE-2016-6304, CVE-2016-6305, CVE-2016-6306, CVE-2016-6307 and CVE-2016-6308
  • The fix for CVE-2017-5461 also addresses CVE-2015-7181, CVE-2015-7182, CVE-2015-7183, CVE-2015-7575, CVE-2016-1950, CVE-2016-1979, CVE-2016-2834, CVE-2016-5285, CVE-2017-5462 and CVE-2017-7502

 

Appendix - Oracle Construction and Engineering Suite

Oracle Construction and Engineering Suite Executive Summary

This Critical Patch Update contains 1 new security fix for the Oracle Construction and Engineering Suite.  This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

Oracle Construction and Engineering Suite Risk Matrix

CVE#ProductComponentProtocolRemote
Exploit
without
Auth.?		CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)Supported Versions AffectedNotes
Base
Score		Attack
Vector		Attack
Complex		Privs
Req'd		User
Interact		ScopeConfid-
entiality		Inte-
grity		Avail-
ability
CVE-2016-6814Primavera UnifierPlatform (Apache Groovy)HTTPYes9.6NetworkLowNoneRequiredChangedHighHighHigh9.13, 9.14, 10.x, 15.x, 16.x, 
  


 

Appendix - Oracle E-Business Suite

Oracle E-Business Suite Executive Summary

This Critical Patch Update contains 26 new security fixes for the Oracle E-Business Suite.  25 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

Oracle E-Business Suite Risk Matrix

CVE#ProductComponentProtocolRemote
Exploit
without
Auth.?		CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)Supported Versions AffectedNotes
Base
Score		Attack
Vector		Attack
Complex		Privs
Req'd		User
Interact		ScopeConfid-
entiality		Inte-
grity		Avail-
ability
CVE-2017-10330Oracle Common ApplicationsGantt ServerHTTPYes9.1NetworkLowNoneNoneUn-
changed		HighHighNone12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7 
CVE-2017-10329Oracle Global Order PromisingReschedule Sales OrdersHTTPYes9.1NetworkLowNoneNoneUn-
changed		HighHighNone12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7 
CVE-2017-10416Oracle Advanced Outbound TelephonySetup and ConfigurationHTTPYes8.2NetworkLowNoneRequiredChangedHighLowNone12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7 
CVE-2017-10417Oracle Advanced Outbound TelephonySetup and ConfigurationHTTPYes8.2NetworkLowNoneRequiredChangedHighLowNone12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7 
CVE-2017-10325Oracle Common Applications CalendarApplications CalendarHTTPYes8.2NetworkLowNoneRequiredChangedHighLowNone12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7 
CVE-2017-10326Oracle Common Applications CalendarApplications CalendarHTTPYes8.2NetworkLowNoneRequiredChangedHighLowNone12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7 
CVE-2017-10303Oracle Interaction Center IntelligenceSetupHTTPYes8.2NetworkLowNoneRequiredChangedHighLowNone12.1.1, 12.1.2, 12.1.3 
CVE-2017-10414Oracle iStoreCheckout and Order PlacementHTTPYes8.2NetworkLowNoneRequiredChangedHighLowNone12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7 
CVE-2017-10409Oracle iStoreMerchant UIHTTPYes8.2NetworkLowNoneRequiredChangedHighLowNone12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7 
CVE-2017-10415Oracle iSupportOthersHTTPYes8.2NetworkLowNoneRequiredChangedHighLowNone12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7 
CVE-2017-10410Oracle Knowledge ManagementSearchHTTPYes8.2NetworkLowNoneRequiredChangedHighLowNone12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7 
CVE-2017-10411Oracle Knowledge ManagementUser InterfaceHTTPYes8.2NetworkLowNoneRequiredChangedHighLowNone12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7 
CVE-2017-10412Oracle Knowledge ManagementUser InterfaceHTTPYes8.2NetworkLowNoneRequiredChangedHighLowNone12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7 
CVE-2017-10413Oracle Mobile Field ServiceMultiplatform Based on HTML5HTTPYes8.2NetworkLowNoneRequiredChangedHighLowNone12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7 
CVE-2017-3444Oracle Trade ManagementUser InterfaceHTTPYes8.2NetworkLowNoneRequiredChangedHighLowNone12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6 
CVE-2017-3445Oracle Trade ManagementUser InterfaceHTTPYes8.2NetworkLowNoneRequiredChangedHighLowNone12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6 
CVE-2017-3446Oracle Trade ManagementUser InterfaceHTTPYes8.2NetworkLowNoneRequiredChangedHighLowNone12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6 
CVE-2017-10323Oracle Web Applications Desktop IntegratorApplication ServiceHTTPYes8.2NetworkLowNoneRequiredChangedHighLowNone12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6 
CVE-2017-10328Oracle Application Object LibraryDiagnosticsHTTPYes7.5NetworkLowNoneNoneUn-
changed		HighNoneNone12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7 
CVE-2017-10332Oracle Universal Work QueueAdministrationHTTPYes7.5NetworkLowNoneNoneUn-
changed		HighNoneNone12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7 
CVE-2017-10077Oracle Applications DBAAD UtilitiesHTTPNo6.5NetworkLowHighNoneUn-
changed		HighHighNone12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7 
CVE-2017-10331Oracle Application Object LibraryDiagnosticsHTTPYes5.3NetworkLowNoneNoneUn-
changed		LowNoneNone12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7 
CVE-2017-10324Oracle Applications Technology StackOracle FormsHTTPYes5.3NetworkLowNoneNoneUn-
changed		LowNoneNone12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7 
CVE-2017-10066Oracle Applications Technology StackOracle FormsHTTPYes5.3NetworkLowNoneNoneUn-
changed		NoneLowNone12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7 
CVE-2017-10322Oracle Common Applications CalendarApplications CalendarHTTPYes5.3NetworkLowNoneNoneUn-
changed		NoneLowNone12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7 
CVE-2017-10387Oracle CRM Technical FoundationPreferencesHTTPYes4.3NetworkLowNoneRequiredUn-
changed		NoneLowNone12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7 
  


 

Appendix - Oracle Enterprise Manager Grid Control

Oracle Enterprise Manager Grid Control Executive Summary

This Critical Patch Update contains 1 new security fix for Oracle Enterprise Manager Grid Control.  This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  This fix is not applicable to client-only installations, i.e., installations that do not have Oracle Enterprise Manager Grid Control installed. The English text form of this Risk Matrix can be found here.

Oracle Enterprise Manager Grid Control Risk Matrix

CVE#ProductComponentProtocolRemote
Exploit
without
Auth.?		CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)Supported Versions AffectedNotes
Base
Score		Attack
Vector		Attack
Complex		Privs
Req'd		User
Interact		ScopeConfid-
entiality		Inte-
grity		Avail-
ability
CVE-2016-6814Oracle Enterprise Manager Ops CenterNetworking (Apache Groovy)HTTPYes9.6NetworkLowNoneRequiredChangedHighHighHigh12.2.2, 12.3.2 
  


 

Appendix - Oracle Financial Services Applications

Oracle Financial Services Applications Executive Summary

This Critical Patch Update contains 1 new security fix for Oracle Financial Services Applications.  This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

Oracle Financial Services Applications Risk Matrix

CVE#ProductComponentProtocolRemote
Exploit
without
Auth.?		CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)Supported Versions AffectedNotes
Base
Score		Attack
Vector		Attack
Complex		Privs
Req'd		User
Interact		ScopeConfid-
entiality		Inte-
grity		Avail-
ability
CVE-2017-10363Oracle FLEXCUBE Universal BankingSecurityHTTPNo7.1NetworkLowLowNoneUn-
changed		HighLowNone11.3, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0See Note 1
 

Notes:

  1. Contact Support for fixes

 

Appendix - Oracle Fusion Middleware

Oracle Fusion Middleware Executive Summary

This Critical Patch Update contains 40 new security fixes for Oracle Fusion Middleware.  26 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

Oracle Fusion Middleware Risk Matrix

CVE#ProductComponentProtocolRemote
Exploit
without
Auth.?		CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)Supported Versions AffectedNotes
Base
Score		Attack
Vector		Attack
Complex		Privs
Req'd		User
Interact		ScopeConfid-
entiality		Inte-
grity		Avail-
ability
CVE-2015-5254Oracle BI PublisherBI Publisher Security (Apache ActiveMQ)HTTPYes9.8NetworkLowNoneNoneUn-
changed		HighHighHigh11.1.1.7.0, 12.2.1.1.0, 12.2.1.2.0See Note 1
CVE-2017-10271Oracle WebLogic ServerWLS SecurityHTTPYes9.8NetworkLowNoneNoneUn-
changed		HighHighHigh10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0, 12.2.1.2.0 
CVE-2016-6814Oracle JDeveloperJava Business Objects (Apache Groovy)HTTPYes9.6NetworkLowNoneRequiredChangedHighHighHigh12.2.1.2.0, 12.1.3.0.0 
CVE-2015-7501Management Pack for Oracle GoldenGateMonitor (Apache Commons Collections)HTTPNo8.8NetworkLowLowNoneUn-
changed		HighHighHigh11.2.1.0.12 
CVE-2016-0714Management Pack for Oracle GoldenGateMonitor (Apache Tomcat)HTTPNo8.8NetworkLowLowNoneUn-
changed		HighHighHigh11.2.1.0.12 
CVE-2015-7501Oracle Business Process Management SuiteSecurity (Apache Commons Collections)HTTPNo8.8NetworkLowLowNoneUn-
changed		HighHighHigh11.1.1.9.0, 12.2.1.1.0 
CVE-2016-2834Oracle Directory Server Enterprise EditionAdmin Server (NSS)HTTPSYes8.8NetworkLowNoneRequiredUn-
changed		HighHighHigh11.1.1.7.0 
CVE-2015-7501Oracle Endeca Information Discovery IntegratorSecurity (Apache Commons Collections)HTTPNo8.8NetworkLowLowNoneUn-
changed		HighHighHigh2.4, 3.0, 3.1, 3.2 
CVE-2016-0635Oracle Endeca Information Discovery IntegratorSecurity (Spring Framework)HTTPNo8.8NetworkLowLowNoneUn-
changed		HighHighHigh3.2 
CVE-2017-10034Oracle BI PublisherCore Formatting APIHTTPYes8.2NetworkLowNoneRequiredChangedHighLowNone11.1.1.7.0, 11.1.1.9.0 
CVE-2017-10060Oracle Business Intelligence Enterprise EditionAnalytics Web GeneralHTTPYes8.2NetworkLowNoneRequiredChangedHighLowNone11.1.1.7.0, 11.1.1.9.0, 12.2.1.1.0, 12.2.1.2.0 
CVE-2017-10270Oracle Identity Manager ConnectorMicrosoft Active DirectoryNoneNo8.2LocalLowNoneRequiredChangedNoneHighHigh9.1.1.5.0 
CVE-2017-10026Oracle SOA SuiteFabric LayerHTTPYes8.2NetworkLowNoneRequiredChangedHighLowNone11.1.1.7.0 
CVE-2017-10360Oracle WebCenter ContentContent ServerHTTPYes8.2NetworkLowNoneRequiredChangedLowHighNone11.1.1.9.0, 12.2.1.1.0, 12.2.1.2.0 
CVE-2017-10259Oracle Access ManagerWeb Server PluginHTTPYes7.5NetworkLowNoneNoneUn-
changed		HighNoneNone11.1.2.3.0 
CVE-2017-10037Oracle BI PublisherWeb Service APIHTTPYes7.5NetworkLowNoneNoneUn-
changed		HighNoneNone11.1.1.7.0, 11.1.1.9.0 
CVE-2015-7940Oracle Business Process Management SuiteWorkspace and Process portal (Bouncy Castle Java package)HTTPYes7.5NetworkLowNoneNoneUn-
changed		HighNoneNone11.1.1.7.0, 11.1.1.9.0, 12.1.3.0.0, 12.2.1.1.0, 12.2.1.2.0 
CVE-2015-7940Oracle Business Process Management SuiteRuntime Engine (Bouncy Castle Java package)HTTPSYes7.5NetworkLowNoneNoneUn-
changed		HighNoneNone11.1.1.7.0, 11.1.1.9.0, 12.1.3.0.0, 12.2.1.1.0, 12.2.1.2.0 
CVE-2016-3092Oracle GlassFish ServerWeb Container (Apache Commons FileUpload)HTTPYes7.5NetworkLowNoneNoneUn-
changed		NoneNoneHigh3.1.2 
CVE-2015-7940Oracle Managed File TransferMFT Runtime Server (Bouncy Castle Java package)HTTPSYes7.5NetworkLowNoneNoneUn-
changed		HighNoneNone12.1.3.0.0, 12.2.1.1.0, 12.2.1.2.0 
CVE-2017-10369Oracle Virtual DirectoryVirtual Directory ServerHTTPNo7.5NetworkHighLowNoneUn-
changed		HighHighHigh11.1.1.7.0, 11.1.1.9.0 
CVE-2017-5662Oracle API GatewayOracle API Gateway (Apache Batik)HTTPNo7.3NetworkLowLowRequiredUn-
changed		HighNoneHigh11.1.2.4.0See Note 2
CVE-2017-10391Oracle GlassFish ServerAdministrationHTTPYes7.3NetworkLowNoneNoneUn-
changed		LowLowLow3.0.1, 3.1.2 
CVE-2016-1181Oracle Identity ManagerOIM Legacy UI (Apache Struts 1)HTTPNo6.6NetworkHighHighNoneUn-
changed		HighHighHigh11.1.2.3.0 
CVE-2017-10152Oracle WebLogic ServerWeb ContainerHTTPNo6.5NetworkLowLowNoneUn-
changed		HighNoneNone10.3.6.0.0, 12.1.3.0.0 
CVE-2017-10163Oracle Business Intelligence Enterprise EditionAnalytics Web GeneralHTTPNo6.3NetworkLowLowRequiredUn-
changed		LowHighNone11.1.1.7.0, 11.1.1.9.0, 12.2.1.1.0, 12.2.1.2.0See Note 3
CVE-2017-10385Oracle GlassFish ServerWeb ContainerHTTPYes6.3NetworkLowNoneRequiredUn-
changed		LowLowLow3.0.1, 3.1.2 
CVE-2017-10393Oracle GlassFish ServerWeb ContainerHTTPYes6.3NetworkLowNoneRequiredUn-
changed		LowLowLow3.0.1, 3.1.2 
CVE-2017-10055Oracle iPlanet Web ServerAdmin Graphical User InterfaceHTTPYes6.1NetworkLowNoneRequiredChangedLowLowNone7.0 
CVE-2015-2808Oracle HTTP ServerWeb ListenerHTTPYes5.9NetworkHighNoneNoneUn-
changed		HighNoneNone11.1.1.7.0, 11.1.1.9.0, 12.1.3.0.0, 12.2.1.1.0, 12.2.1.2.0 
CVE-2017-10352Oracle WebLogic ServerWLS-WebServicesHTTPYes5.9NetworkHighNoneNoneUn-
changed		NoneNoneHigh10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0, 12.2.1.2.0 
CVE-2017-10051Oracle Outside In TechnologyOutside In FiltersHTTPNo5.7Adjacent
Network		LowLowNoneUn-
changed		NoneNoneHigh8.5.3.0See Note 4
CVE-2017-10400Oracle GlassFish ServerAdministration Graphical User InterfaceHTTPYes5.4NetworkLowNoneRequiredUn-
changed		LowLowNone3.1.2 
CVE-2017-10154Oracle Access ManagerWeb Server PluginHTTPYes5.3NetworkLowNoneNoneUn-
changed		LowNoneNone11.1.2.3.0 
CVE-2003-1418Oracle HTTP ServerWeb ListenerHTTPYes5.3NetworkLowNoneNoneUn-
changed		LowNoneNone11.1.1.9.0, 12.1.3.0.0 
CVE-2017-10336Oracle WebLogic ServerWeb ContainerHTTPYes5.3NetworkLowNoneNoneUn-
changed		NoneLowNone10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0, 12.2.1.2.0 
CVE-2017-10334Oracle WebLogic ServerWeb ContainerHTTPNo4.3NetworkLowLowNoneUn-
changed		LowNoneNone10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0, 12.2.1.2.0 
CVE-2017-10033Oracle WebCenter SitesSupport ToolsNoneNo4.0LocalHighNoneNoneUn-
changed		LowLowNone11.1.1.8.0, 12.2.1.2.0See Note 5
CVE-2016-2183Oracle HTTP ServerOSSL ModuleHTTPSYes3.7NetworkHighNoneNoneUn-
changed		LowNoneNone11.1.1.7.0, 11.1.1.9.0, 12.1.3.0.0, 12.2.1.1.0, 12.2.1.2.0 
CVE-2017-10166Oracle Security ServiceC Oracle SSL APIHTTPSYes3.7NetworkHighNoneNoneUn-
changed		NoneLowNoneFMW: 11.1.1.9.0, 12.1.3.0.0 
 

Notes:

  1. Please refer to Doc ID My Oracle Support Note 2310008.1 for instructions on how to address this issue.
  2. Please refer to Doc ID My Oracle Support Note 2313917.1 for instructions on how to address this issue.
  3. Please refer to Doc ID My Oracle Support Note 2310021.1 for instructions on how to address this issue.
  4. Outside In Technology is a suite of software development kits (SDKs). The protocol and CVSS score depend on the software that uses the Outside In Technology code. The CVSS score assumes that the software passes data received over a network directly to Outside In Technology code, but if data is not received over a network the CVSS score may be lower.
  5. Please refer to Doc ID My Oracle Support Note 2318213.1 for instructions on how to address this issue.

Additional CVEs addressed are below:

  • The fix for CVE-2015-2808 also addresses CVE-2013-2566
  • The fix for CVE-2016-0714 also addresses CVE-2015-5351, CVE-2016-0706 and CVE-2016-0763
  • The fix for CVE-2016-1181 also addresses CVE-2014-0114, CVE-2015-0899 and CVE-2016-1182
  • The fix for CVE-2016-2834 also addresses CVE-2016-1950 and CVE-2016-1979

 

Appendix - Oracle Health Sciences Applications

Oracle Health Sciences Applications Executive Summary

This Critical Patch Update contains 1 new security fix for Oracle Health Sciences Applications.  This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

Oracle Health Sciences Applications Risk Matrix

CVE#ProductComponentProtocolRemote
Exploit
without
Auth.?		CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)Supported Versions AffectedNotes
Base
Score		Attack
Vector		Attack
Complex		Privs
Req'd		User
Interact		ScopeConfid-
entiality		Inte-
grity		Avail-
ability
CVE-2016-6814Oracle Healthcare Master Person IndexRelationship Management (Apache Groovy)HTTPYes9.6NetworkLowNoneRequiredChangedHighHighHigh4.x 
  


 

Appendix - Oracle Hospitality Applications

Oracle Hospitality Applications Executive Summary

This Critical Patch Update contains 37 new security fixes for Oracle Hospitality Applications.  13 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

Oracle Hospitality Applications Risk Matrix

CVE#ProductComponentProtocolRemote
Exploit
without
Auth.?		CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)Supported Versions AffectedNotes
Base
Score		Attack
Vector		Attack
Complex		Privs
Req'd		User
Interact		ScopeConfid-
entiality		Inte-
grity		Avail-
ability
CVE-2017-10402Oracle Hospitality Reporting and AnalyticsReportHTTPYes10.0NetworkLowNoneNoneChangedHighHighHigh8.5.1, 9.0.0 
CVE-2017-10405Oracle Hospitality Reporting and AnalyticsReportHTTPYes10.0NetworkLowNoneNoneChangedHighNoneHigh8.5.1, 9.0.0 
CVE-2017-10396Oracle Hospitality Cruise AffairWhereAffairWhereNoneNo8.2LocalLowLowRequiredChangedHighHighHigh2.2.5.0, 2.2.6.0, 2.2.7.0 
CVE-2017-10404Oracle Hospitality Reporting and AnalyticsiQueryHTTPNo9.9NetworkLowLowNoneChangedHighHighHigh8.5.1, 9.0.0 
CVE-2017-5664Oracle Hospitality Guest AccessBase (Apache Tomcat)HTTPYes9.8NetworkLowNoneNoneUn-
changed		HighHighHigh4.2.0, 4.2.1 
CVE-2017-10401Oracle Hospitality Cruise Materials ManagementMMSUpdaterNoneNo8.7LocalLowLowNoneChangedLowHighHigh7.30.564.0 
CVE-2017-10372Oracle Hospitality Guest AccessBaseHTTPNo8.7NetworkLowHighNoneChangedNoneHighHigh4.2.0, 4.2.1 
CVE-2017-10398Oracle Hospitality Cruise Fleet ManagementBaseMasterPageNoneNo8.4LocalLowLowNoneChangedHighHighNone9.0.2.0 
CVE-2017-10050Oracle Hospitality Suite8WebConnectHTTPYes8.2NetworkLowNoneRequiredChangedHighLowNone8.10.1, 8.10.2 
CVE-2017-10403Oracle Hospitality Reporting and AnalyticsiQueryHTTPNo8.0NetworkHighLowRequiredChangedHighHighHigh8.5.1, 9.0.0 
CVE-2017-5662Oracle Hospitality Guest AccessBase (Apache Batik)HTTPNo7.3NetworkLowLowRequiredUn-
changed		HighNoneHigh4.2.0, 4.2.1 
CVE-2017-10353Oracle Hospitality Hotel MobileSuite8/RESTAPIHTTPNo7.1NetworkLowLowNoneUn-
changed		HighNoneLow1.1 
CVE-2017-10370Oracle Hospitality Guest AccessBaseHTTPNo6.9NetworkLowHighRequiredChangedHighLowNone4.2.0, 4.2.1 
CVE-2017-10343Oracle Hospitality SimphonyImport/ExportHTTPYes6.5NetworkLowNoneRequiredUn-
changed		HighNoneNone2.8, 2.9 
CVE-2017-10344Oracle Hospitality SimphonyImport/ExportHTTPYes6.5NetworkHighNoneNoneUn-
changed		HighLowNone2.8, 2.9 
CVE-2017-10421Oracle Hospitality Suite8LeisureHTTPNo6.5NetworkLowLowNoneUn-
changed		HighNoneNone8.10.1, 8.10.2 
CVE-2017-10316Oracle Hospitality Suite8WebConnectHTTPNo6.5NetworkLowLowNoneUn-
changed		HighNoneNone8.10.1, 8.10.2 
CVE-2017-10361Oracle Hospitality Cruise Shipboard Property Management SystemOHC DRSHTTPNo6.4NetworkLowLowNoneChangedLowNoneLow8.0.2.0 
CVE-2017-10420Oracle Hospitality Suite8LeisureHTTPNo6.4NetworkLowLowNoneChangedNoneLowLow8.10.1, 8.10.2 
CVE-2017-10397Oracle Hospitality Cruise Fleet ManagementBaseMasterPageHTTPYes6.1NetworkLowNoneRequiredChangedLowLowNone9.0.2.0 
CVE-2017-10339Oracle Hospitality Suite8WebConnectHTTPYes5.9NetworkHighNoneNoneUn-
changed		HighNoneNone8.10.1, 8.10.2 
CVE-2017-10389Oracle Hospitality Suite8PMSNoneNo5.7LocalLowLowRequiredChangedLowLowLow8.10.1, 8.10.2 
CVE-2017-10395Oracle Hospitality Cruise Fleet ManagementGangwayActivityWebAppHTTPNo5.4NetworkLowLowNoneUn-
changed		LowLowNone9.0.2.0 
CVE-2017-10367Oracle Hospitality SimphonyEngagementHTTPYes5.4NetworkLowNoneRequiredUn-
changed		LowLowNone2.8, 2.9 
CVE-2017-10340Oracle Hospitality SimphonyImport/ExportHTTPYes5.4NetworkLowNoneRequiredUn-
changed		LowLowNone2.8, 2.9 
CVE-2017-10425Oracle Hospitality SimphonyService HostHTTPNo5.4NetworkLowLowNoneUn-
changed		LowLowNone2.6, 2.7, 2.8, 2.9 
CVE-2017-10337Oracle Hospitality Suite8LeisureHTTPNo5.4NetworkLowLowNoneUn-
changed		LowNoneLow8.10.1, 8.10.2 
CVE-2017-10383Oracle Hospitality Guest AccessInterfaceHTTPYes5.3NetworkLowNoneNoneUn-
changed		LowNoneNone4.2.0, 4.2.1 
CVE-2017-10319Oracle Hospitality Suite8LeisureHTTPYes5.3NetworkLowNoneNoneUn-
changed		LowNoneNone8.10.1, 8.10.2 
CVE-2017-10054Oracle Hospitality Cruise Materials ManagementMMSNoneNo5.1LocalLowNoneNoneUn-
changed		LowLowNone7.30.564.0 
CVE-2017-10419Oracle Hospitality Suite8PMSNoneNo5.1LocalLowNoneNoneUn-
changed		LowLowNone8.10.1, 8.10.2 
CVE-2017-10318Oracle Hospitality Suite8WebConnectHTTPYes4.7NetworkLowNoneRequiredChangedLowNoneNone8.10.1, 8.10.2 
CVE-2017-10375Oracle Hospitality Guest AccessBaseHTTPNo4.6NetworkLowLowRequiredUn-
changed		LowLowNone4.2.0, 4.2.1 
CVE-2017-10197Oracle Hospitality OPERA 5 Property ServicesFoliosNoneNo4.6PhysicalLowNoneNoneUn-
changed		HighNoneNone5.4.2.x through 5.5.1.x 
CVE-2017-10317Oracle Hospitality Suite8WebConnectNoneNo4.0LocalLowNoneNoneUn-
changed		LowNoneNone8.10.1, 8.10.2 
CVE-2017-10014Oracle Hospitality Hotel MobileSuite8/RESTAPIHTTPNo3.5NetworkLowLowRequiredUn-
changed		NoneLowNone1.1 
CVE-2017-10399Oracle Hospitality Cruise Fleet ManagementGangwayActivityWebAppHTTPNo3.1NetworkHighLowNoneUn-
changed		NoneNoneLow9.0.2.0 
 

Additional CVEs addressed are below:

  • The fix for CVE-2017-5664 also addresses CVE-2016-8735

 

Appendix - Oracle Hyperion

Oracle Hyperion Executive Summary

This Critical Patch Update contains 4 new security fixes for Oracle Hyperion.  3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

Oracle Hyperion Risk Matrix

CVE#ProductComponentProtocolRemote
Exploit
without
Auth.?		CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)Supported Versions AffectedNotes
Base
Score		Attack
Vector		Attack
Complex		Privs
Req'd		User
Interact		ScopeConfid-
entiality		Inte-
grity		Avail-
ability
CVE-2017-10310Oracle Hyperion Financial ReportingSecurity ModelsHTTPYes7.5NetworkLowNoneNoneUn-
changed		HighNoneNone11.1.2 
CVE-2017-10312Oracle Hyperion BI+UI and VisualizationHTTPYes7.1NetworkLowNoneRequiredUn-
changed		HighLowNone11.1.2.4 
CVE-2017-10358Oracle Hyperion Financial ReportingWorkspaceHTTPNo6.4NetworkLowLowNoneChangedLowLowNone11.1.2 
CVE-2017-10359Oracle Hyperion BI+UI and VisualizationHTTPYes5.4NetworkLowNoneRequiredUn-
changed		LowLowNone11.1.2.4 
  


 

Appendix - Oracle Java SE

Oracle Java SE Executive Summary

This Critical Patch Update contains 22 new security fixes for Oracle Java SE.  20 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.


The CVSS scores below assume that a user running a Java applet or Java Web Start application has administrator privileges (typical on Windows). When the user does not run with administrator privileges (typical on Solaris and Linux), the corresponding CVSS impact scores for Confidentiality, Integrity, and Availability are "Low" instead of "High", lowering the CVSS Base Score. For example, a Base Score of 9.6 becomes 7.1. 


Users should only use the default Java Plug-in and Java Web Start from the latest JDK or JRE 8 releases.

Oracle Java SE Risk Matrix

CVE#ProductComponentProtocolRemote
Exploit
without
Auth.?		CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)Supported Versions AffectedNotes
Base
Score		Attack
Vector		Attack
Complex		Privs
Req'd		User
Interact		ScopeConfid-
entiality		Inte-
grity		Avail-
ability
CVE-2017-10346Java SE, Java SE EmbeddedHotspotMultipleYes9.6NetworkLowNoneRequiredChangedHighHighHighJava SE: 6u161, 7u151, 8u144, 9; Java SE Embedded: 8u144See Note 1
CVE-2017-10285Java SE, Java SE EmbeddedRMIMultipleYes9.6NetworkLowNoneRequiredChangedHighHighHighJava SE: 6u161, 7u151, 8u144, 9; Java SE Embedded: 8u144See Note 1
CVE-2017-10388Java SE, Java SE EmbeddedLibrariesKerberosYes7.5NetworkHighNoneRequiredUn-
changed		HighHighHighJava SE: 6u161, 7u151, 8u144, 9; Java SE Embedded: 8u144See Note 2
CVE-2017-10309Java SEDeploymentMultipleYes7.1NetworkLowNoneRequiredChangedLowLowLowJava SE: 8u144, 9See Note 1
CVE-2017-10274Java SESmart Card IOMultipleYes6.8NetworkHighNoneRequiredUn-
changed		HighHighNoneJava SE: 6u161, 7u151, 8u144, 9See Note 1
CVE-2017-10356Java SE, Java SE Embedded, JRockitSecurityNoneNo6.2LocalLowNoneNoneUn-
changed		HighNoneNoneJava SE: 6u161, 7u151, 8u144, 9; Java SE Embedded: 8u144; JRockit: R28.3.15See Note 3
CVE-2017-10293Java SEJavadocHTTPYes6.1NetworkLowNoneRequiredChangedLowLowNoneJava SE: 6u161, 7u151, 8u144, 9See Note 1
CVE-2017-10342Java Advanced Management ConsoleServerMultipleYes5.3NetworkLowNoneNoneUn-
changed		NoneNoneLowJava Advanced Management Console: 2.7 
CVE-2017-10350Java SE, Java SE EmbeddedJAX-WSMultipleYes5.3NetworkLowNoneNoneUn-
changed		NoneNoneLowJava SE: 7u151, 8u144, 9; Java SE Embedded: 8u144See Note 1
CVE-2017-10349Java SE, Java SE EmbeddedJAXPMultipleYes5.3NetworkLowNoneNoneUn-
changed		NoneNoneLowJava SE: 6u161, 7u151, 8u144, 9; Java SE Embedded: 8u144See Note 1
CVE-2017-10348Java SE, Java SE EmbeddedLibrariesMultipleYes5.3NetworkLowNoneNoneUn-
changed		NoneNoneLowJava SE: 6u161, 7u151, 8u144, 9; Java SE Embedded: 8u144See Note 1
CVE-2017-10357Java SE, Java SE EmbeddedSerializationMultipleYes5.3NetworkLowNoneNoneUn-
changed		NoneNoneLowJava SE: 6u161, 7u151, 8u144, 9; Java SE Embedded: 8u144See Note 1
CVE-2016-9841Java SE, Java SE EmbeddedUtil (zlib)MultipleYes5.3NetworkLowNoneNoneUn-
changed		NoneLowNoneJava SE: 6u161, 7u151, 8u144; Java SE Embedded: 8u144See Note 1
CVE-2016-10165Java SE, Java SE Embedded, JRockit2D (Little CMS 2)MultipleYes5.3NetworkLowNoneNoneUn-
changed		LowNoneNoneJava SE: 7u151, 8u144, 9; Java SE Embedded: 8u144; JRockit: R28.3.15See Note 3
CVE-2017-10355Java SE, Java SE Embedded, JRockitNetworkingMultipleYes5.3NetworkLowNoneNoneUn-
changed		NoneNoneLowJava SE: 6u161, 7u151, 8u144, 9; Java SE Embedded: 8u144; JRockit: R28.3.15See Note 3
CVE-2017-10281Java SE, Java SE Embedded, JRockitSerializationMultipleYes5.3NetworkLowNoneNoneUn-
changed		NoneNoneLowJava SE: 6u161, 7u151, 8u144, 9; Java SE Embedded: 8u144; JRockit: R28.3.15See Note 3
CVE-2017-10347Java SE, JRockitSerializationMultipleYes5.3NetworkLowNoneNoneUn-
changed		NoneNoneLowJava SE: 6u161, 7u151, 8u144, 9; Java SE Embedded: 8u144See Note 1
CVE-2017-10386Java Advanced Management ConsoleSeverHTTPNo4.8NetworkLowHighRequiredChangedLowLowNoneJava Advanced Management Console: 2.7 
CVE-2017-10380Java Advanced Management ConsoleServerHTTPYes4.7NetworkHighNoneRequiredChangedLowLowNoneJava Advanced Management Console: 2.7 
CVE-2017-10295Java SE, Java SE Embedded, JRockitNetworkingHTTPYes4.0NetworkHighNoneNoneChangedNoneLowNoneJava SE: 6u161, 7u151, 8u144, 9; Java SE Embedded: 8u144; JRockit: R28.3.15See Note 3
CVE-2017-10341Java Advanced Management ConsoleServerMultipleYes3.7NetworkHighNoneNoneUn-
changed		NoneLowNoneJava Advanced Management Console: 2.7See Note 1
CVE-2017-10345Java SE, Java SE Embedded, JRockitSerializationMultipleYes3.1NetworkHighNoneRequiredUn-
changed		NoneNoneLowJava SE: 6u161, 7u151, 8u144, 9; Java SE Embedded: 8u144; JRockit: R28.3.15See Note 3
 

Notes:

  1. This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
  2. Applies to the Java SE Kerberos client.
  3. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.

Additional CVEs addressed are below:

  • The fix for CVE-2016-9841 also addresses CVE-2016-9840, CVE-2016-9842 and CVE-2016-9843

 

Appendix - Oracle JD Edwards Products

Oracle JD Edwards Products Executive Summary

This Critical Patch Update contains 2 new security fixes for Oracle JD Edwards Products.  Both of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

Oracle JD Edwards Products Risk Matrix

CVE#ProductComponentProtocolRemote
Exploit
without
Auth.?		CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)Supported Versions AffectedNotes
Base
Score		Attack
Vector		Attack
Complex		Privs
Req'd		User
Interact		ScopeConfid-
entiality		Inte-
grity		Avail-
ability
CVE-2017-3732JD Edwards EnterpriseOne ToolsEnterprise Infrastructure SEC (OpenSSL)HTTPSYes5.9NetworkHighNoneNoneUn-
changed		HighNoneNone9.2 
CVE-2017-3732JD Edwards World SecurityGUI / World Vision (OpenSSL)HTTPSYes5.9NetworkHighNoneNoneUn-
changed		HighNoneNoneA9.1, A9.2, A9.3, A9.4 
 

Additional CVEs addressed are below:

  • The fix for CVE-2017-3732 also addresses CVE-2016-7055, CVE-2017-3730, CVE-2017-3731 and CVE-2017-3733

 

Appendix - Oracle MySQL

Oracle MySQL Executive Summary

This Critical Patch Update contains 25 new security fixes for Oracle MySQL.  6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

Oracle MySQL Risk Matrix

CVE#ProductComponentProtocolRemote
Exploit
without
Auth.?		CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)Supported Versions AffectedNotes
Base
Score		Attack
Vector		Attack
Complex		Privs
Req'd		User
Interact		ScopeConfid-
entiality		Inte-
grity		Avail-
ability
CVE-2017-10424MySQL Enterprise MonitorMonitoring: WebMySQL ProtocolYes8.8NetworkLowNoneRequiredUn-
changed		HighHighHigh3.2.8.2223 and earlier, 3.3.4.3247 and earlier, 3.4.2.4181 and earlier 
CVE-2017-5664MySQL Enterprise MonitorMonitoring: General (Apache Tomcat)MySQL ProtocolYes7.5NetworkLowNoneNoneUn-
changed		NoneHighNone3.2.8.2223 and earlier, 3.3.4.3247 and earlier, 3.4.2.4181 and earlier 
CVE-2017-10155MySQL ServerServer: Pluggable AuthMySQL ProtocolYes7.5NetworkLowNoneNoneUn-
changed		NoneNoneHigh5.6.37 and earlier, 5.7.19 and earlier 
CVE-2017-3731MySQL ServerServer: Security: Encryption (OpenSSL)MySQL ProtocolYes7.5NetworkLowNoneNoneUn-
changed		NoneNoneHigh5.6.35 and earlier, 5.7.18 and earlier 
CVE-2017-10379MySQL ServerClient programsMySQL ProtocolNo6.5NetworkLowLowNoneUn-
changed		HighNoneNone5.5.57 and earlier, 5.6.37 and earlier, 5.7.19 and earlier 
CVE-2017-10384MySQL ServerServer: DDLMySQL ProtocolNo6.5NetworkLowLowNoneUn-
changed		NoneNoneHigh5.5.57 and earlier 5.6.37 and earlier 5.7.19 and earlier 
CVE-2017-10276MySQL ServerServer: FTSMySQL ProtocolNo6.5NetworkLowLowNoneUn-
changed		NoneNoneHigh5.6.37 and earlier, 5.7.19 and earlier 
CVE-2017-10167MySQL ServerServer: OptimizerMySQL ProtocolNo6.5NetworkLowLowNoneUn-
changed		NoneNoneHigh5.7.19 and earlier 
CVE-2017-10378MySQL ServerServer: OptimizerMySQL ProtocolNo6.5NetworkLowLowNoneUn-
changed		NoneNoneHigh5.5.57 and earlier, 5.6.37 and earlier, 5.7.11 and earlier 
CVE-2017-10277MySQL ConnectorsConnector/NetMySQL ProtocolYes5.4NetworkLowNoneRequiredUn-
changed		LowLowNone6.9.9 and earlier 
CVE-2017-10203MySQL ConnectorsConnector/NetMySQL ProtocolYes5.3NetworkLowNoneNoneUn-
changed		NoneNoneLow6.9.9 and earlier 
CVE-2017-10283MySQL ServerServer: Performance SchemaMySQL ProtocolNo5.3NetworkHighLowNoneUn-
changed		NoneNoneHigh5.6.37 and earlier, 5.7.19 and earlier 
CVE-2017-10313MySQL ServerGroup Replication GCSMySQL ProtocolNo4.9NetworkLowHighNoneUn-
changed		NoneNoneHigh5.7.19 and earlier 
CVE-2017-10296MySQL ServerServer: DMLMySQL ProtocolNo4.9NetworkLowHighNoneUn-
changed		NoneNoneHigh5.7.18 and earlier 
CVE-2017-10311MySQL ServerServer: FTSMySQL ProtocolNo4.9NetworkLowHighNoneUn-
changed		NoneNoneHigh5.7.19 and earlier 
CVE-2017-10320MySQL ServerServer: InnoDBMySQL ProtocolNo4.9NetworkLowHighNoneUn-
changed		NoneNoneHigh5.7.19 and earlier 
CVE-2017-10314MySQL ServerServer: MemcachedMySQL ProtocolNo4.9NetworkLowHighNoneUn-
changed		NoneNoneHigh5.6.37 and earlier, 5.7.19 and earlier 
CVE-2017-10227MySQL ServerServer: OptimizerMySQL ProtocolNo4.9NetworkLowHighNoneUn-
changed		NoneNoneHigh5.6.37 and earlier, 5.7.19 and earlier 
CVE-2017-10279MySQL ServerServer: OptimizerMySQL ProtocolNo4.9NetworkLowHighNoneUn-
changed		NoneNoneHigh5.6.36 and earlier, 5.7.18 and earlier 
CVE-2017-10294MySQL ServerServer: OptimizerMySQL ProtocolNo4.9NetworkLowHighNoneUn-
changed		NoneNoneHigh5.6.37 and earlier, 5.7.19 and earlier 
CVE-2017-10165MySQL ServerServer: ReplicationMySQL ProtocolNo4.9NetworkLowHighNoneUn-
changed		NoneNoneHigh5.7.19 and earlier 
CVE-2017-10284MySQL ServerServer: Stored ProcedureMySQL ProtocolNo4.9NetworkLowHighNoneUn-
changed		NoneNoneHigh5.7.18 and earlier 
CVE-2017-10286MySQL ServerServer: InnoDBMySQL ProtocolNo4.4NetworkHighHighNoneUn-
changed		NoneNoneHigh5.6.37 and earlier, 5.7.19 and earlier 
CVE-2017-10268MySQL ServerServer: ReplicationMySQL ProtocolNo4.1LocalHighHighNoneUn-
changed		HighNoneNone5.5.57 and earlier, 5.6.37 and earlier, 5.7.19 and earlier 
CVE-2017-10365MySQL ServerServer: InnoDBMySQL ProtocolNo3.8NetworkLowHighNoneUn-
changed		NoneLowLow5.7.18 and earlier 
 

Additional CVEs addressed are below:

  • The fix for CVE-2017-3731 also addresses CVE-2016-7055 and CVE-2017-3732

 

Appendix - Oracle PeopleSoft Products

Oracle PeopleSoft Products Executive Summary

This Critical Patch Update contains 23 new security fixes for Oracle PeopleSoft Products.  13 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

Oracle PeopleSoft Products Risk Matrix

CVE#ProductComponentProtocolRemote
Exploit
without
Auth.?		CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)Supported Versions AffectedNotes
Base
Score		Attack
Vector		Attack
Complex		Privs
Req'd		User
Interact		ScopeConfid-
entiality		Inte-
grity		Avail-
ability
CVE-2017-10366PeopleSoft Enterprise PT PeopleToolsPerformance MonitorHTTPYes9.8NetworkLowNoneNoneUn-
changed		HighHighHigh8.54, 8.55, 8.56 
CVE-2017-10338PeopleSoft Enterprise PRTL Interaction HubEnterprise PortalHTTPYes8.2NetworkLowNoneRequiredChangedHighLowNone9.1.00 
CVE-2017-10354PeopleSoft Enterprise PRTL Interaction HubEnterprise PortalHTTPYes8.2NetworkLowNoneRequiredChangedHighLowNone9.1.00 
CVE-2017-10364PeopleSoft Enterprise PeopleToolsUpdates Environment MgmtHTTPNo8.1NetworkLowLowNoneUn-
changed		HighHighNone8.54, 8.55, 8.56 
CVE-2017-10335PeopleSoft Enterprise PT PeopleToolsElastic SearchHTTPYes7.5NetworkLowNoneNoneUn-
changed		HighNoneNone8.55, 8.56 
CVE-2017-10373PeopleSoft Enterprise PT PeopleToolsHealth CenterHTTPYes7.5NetworkLowNoneNoneUn-
changed		HighNoneNone8.55, 8.56 
CVE-2017-10362PeopleSoft Enterprise PeopleToolsSawbridgeHTTPYes7.2NetworkLowNoneNoneChangedLowNoneLow8.54, 8.55, 8.56 
CVE-2017-10280PeopleSoft Enterprise PeopleToolsTest FrameworkHTTPNo6.5NetworkLowLowNoneUn-
changed		HighNoneNone8.54, 8.55, 8.56 
CVE-2017-10418PeopleSoft Enterprise PT PeopleToolsPeopleSoft CDAHTTPNo6.4NetworkLowLowNoneChangedLowLowNone8.56 
CVE-2017-10351PeopleSoft Enterprise PT PeopleToolsApplication ServerNoneNo6.2LocalLowNoneNoneUn-
changed		HighNoneNone8.54, 8.55, 8.56 
CVE-2017-10158PeopleSoft Enterprise PeopleToolsCoreHTTPYes6.1NetworkLowNoneRequiredChangedLowLowNone8.54, 8.55, 8.56 
CVE-2017-10381PeopleSoft Enterprise PeopleToolsPIA Core TechnologyHTTPYes6.1NetworkLowNoneRequiredChangedLowLowNone8.54, 8.55, 8.56 
CVE-2017-10406PeopleSoft Enterprise PeopleToolsPIA Core TechnologyHTTPYes6.1NetworkLowNoneRequiredChangedLowLowNone8.54, 8.55, 8.56 
CVE-2017-10327PeopleSoft Enterprise PeopleToolsQueryHTTPYes6.1NetworkLowNoneRequiredChangedLowLowNone8.54, 8.55, 8.56 
CVE-2017-10368PeopleSoft Enterprise SCM eProcurementManage Requisition StatusHTTPYes6.1NetworkLowNoneRequiredChangedLowLowNone9.1.00, 9.2.00 
CVE-2017-10422PeopleSoft Enterprise PeopleToolsUpdates Change AssistantHTTPYes5.9NetworkHighNoneNoneUn-
changed		HighNoneNone8.54 
CVE-2017-10304PeopleSoft Enterprise HCMSecurityHTTPNo5.4NetworkLowLowRequiredChangedLowLowNone9.2 
CVE-2017-10394PeopleSoft Enterprise PeopleToolsSecurityHTTPNo5.4NetworkLowLowNoneUn-
changed		NoneLowLow8.54, 8.55, 8.56 
CVE-2017-10382PeopleSoft Enterprise PeopleToolsPIA Core TechnologyHTTPYes4.7NetworkLowNoneRequiredChangedNoneLowNone8.54, 8.55, 8.56 
CVE-2017-10306PeopleSoft Enterprise HCMSecurityHTTPNo4.6NetworkLowLowRequiredUn-
changed		LowLowNone9.2 
CVE-2017-10164PeopleSoft Enterprise FSCMStaffing Front OfficeHTTPNo4.3NetworkLowLowNoneUn-
changed		LowNoneNone9.2 
CVE-2017-10287PeopleSoft Enterprise FSCMStrategic SourcingHTTPNo4.3NetworkLowLowNoneUn-
changed		LowNoneNone9.2 
CVE-2017-10426PeopleSoft Enterprise FSCMStaffing Front OfficeHTTPNo2.7NetworkLowHighNoneUn-
changed		LowNoneNone9.2 
  


 

Appendix - Oracle Retail Applications

Oracle Retail Applications Executive Summary

This Critical Patch Update contains 9 new security fixes for Oracle Retail Applications.  6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

Oracle Retail Applications Risk Matrix

CVE#ProductComponentProtocolRemote
Exploit
without
Auth.?		CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)Supported Versions AffectedNotes
Base
Score		Attack
Vector		Attack
Complex		Privs
Req'd		User
Interact		ScopeConfid-
entiality		Inte-
grity		Avail-
ability
CVE-2016-6814Oracle Retail Convenience and Fuel POS SoftwareOPT Server (Apache Groovy)HTTPYes9.6NetworkLowNoneRequiredChangedHighHighHigh2.1.132 
CVE-2016-6814Oracle Retail Store Inventory ManagementSIM Integration (Apache Groovy)HTTPYes9.6NetworkLowNoneRequiredChangedHighHighHigh13.2.9, 14.0.4, 14.1.3, 15.0.1, 16.0.1 
CVE-2017-10065Oracle Retail Point-of-ServiceSecurityHTTPNo8.5NetworkLowLowNoneChangedLowHighNone13.2, 13.3, 13.4, 14.0, 14.1 
CVE-2017-5664MICROS Retail XBRi Loss PreventionRetail (Apache Tomcat)HTTPYes7.4NetworkHighNoneNoneUn-
changed		HighHighNone10.0.1, 10.5.0, 10.6.0, 10.7.7, 10.8.0, 10.8.1 
CVE-2016-3506Oracle Retail Clearance Optimization EngineInstallationOracle NetYes7.4NetworkHighNoneNoneUn-
changed		HighHighNone13.4 
CVE-2016-3506Oracle Retail Markdown OptimizationInstallationOracle NetYes7.4NetworkHighNoneNoneUn-
changed		HighHighNone13.4, 14.0 
CVE-2017-5662MICROS Retail XBRi Loss PreventionRetail (Apache Batik)HTTPNo7.3NetworkLowLowRequiredUn-
changed		HighNoneHigh10.0.1, 10.5.0, 10.6.0, 10.7.7, 10.8.0, 10.8.1 
CVE-2017-10427Oracle Retail Xstore Point of ServicePoint of SaleHTTPYes6.5NetworkHighNoneNoneChangedLowLowLow6.0.11, 6.5.11, 7.0.6, 7.1.6, 15.0.1 
CVE-2017-10423Oracle Retail Back OfficeSecurityHTTPNo5.4NetworkLowLowRequiredChangedLowLowNone13.2, 13.3, 13.4, 14.0, 14.1 
 

Additional CVEs addressed are below:

  • The fix for CVE-2017-5664 also addresses CVE-2016-8735

 

Appendix - Oracle Siebel CRM

Oracle Siebel CRM Executive Summary

This Critical Patch Update contains 8 new security fixes for Oracle Siebel CRM.  6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

Oracle Siebel CRM Risk Matrix

CVE#ProductComponentProtocolRemote
Exploit
without
Auth.?		CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)Supported Versions AffectedNotes
Base
Score		Attack
Vector		Attack
Complex		Privs
Req'd		User
Interact		ScopeConfid-
entiality		Inte-
grity		Avail-
ability
CVE-2013-1903Siebel Apps - Field ServiceSmart Answer (Python)HTTPYes10.0NetworkLowNoneNoneChangedHighHighHigh16.0, 17.0 
CVE-2017-10263Siebel UI FrameworkUIF Open UIHTTPYes8.2NetworkLowNoneRequiredChangedHighLowNone16.0, 17.0 
CVE-2017-10333Siebel UI FrameworkEAIHTTPNo7.4NetworkLowLowNoneChangedLowLowLow16.0, 17.0 
CVE-2017-10302Siebel UI FrameworkUIF Open UIHTTPYes6.1NetworkLowNoneRequiredChangedLowLowNone16.0, 17.0 
CVE-2017-10315Siebel UI FrameworkUIF Open UIHTTPYes6.1NetworkLowNoneRequiredChangedLowLowNone16.0, 17.0 
CVE-2017-10162Siebel Core - Server FrameworkServicesHTTPNo5.4NetworkLowLowNoneUn-
changed		LowLowNone16.0, 17.0 
CVE-2017-10300Siebel CRM DesktopSiebel Business Service IssuesHTTPYes5.3NetworkLowNoneNoneUn-
changed		LowNoneNone16.0, 17.0 
CVE-2017-10264Siebel UI FrameworkUIF Open UIHTTPYes5.3NetworkLowNoneNoneUn-
changed		NoneNoneLow16.0, 17.0 
 

Additional CVEs addressed are below:

  • The fix for CVE-2013-1903 also addresses CVE-2013-0255, CVE-2013-1900, CVE-2013-1902, CVE-2014-0060, CVE-2014-0061, CVE-2014-0062, CVE-2014-0063, CVE-2014-0064, CVE-2014-0065 and CVE-2014-0066

 

Appendix - Oracle Sun Systems Products Suite

Oracle Sun Systems Products Suite Executive Summary

This Critical Patch Update contains 10 new security fixes for the Oracle Sun Systems Products Suite.  6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

This CPU also addresses CVE-2017-5706 and CVE-2017-5709 in Oracle Server X7-2, X7-2L, X7-8.

Oracle Sun Systems Products Suite Risk Matrix

CVE#ProductComponentProtocolRemote
Exploit
without
Auth.?		CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)Supported Versions AffectedNotes
Base
Score		Attack
Vector		Attack
Complex		Privs
Req'd		User
Interact		ScopeConfid-
entiality		Inte-
grity		Avail-
ability
CVE-2016-6304Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S ServersXCP FirmwareTLSYes7.5NetworkLowNoneNoneUn-
changed		NoneNoneHighPrior to XCP2340 and Prior to XCP3030 
CVE-2017-10260Oracle Integrated Lights Out Manager (ILOM)System ManagementHTTPYes7.5NetworkLowNoneNoneUn-
changed		NoneNoneHighPrior to 3.2.6 
CVE-2016-6304SPARC Enterprise M3000, M4000, M5000, M8000, M9000 ServersXCP FirmwareTLSYes7.5NetworkLowNoneNoneUn-
changed		NoneNoneHighPrior to XCP1123 
CVE-2017-10265Oracle Integrated Lights Out Manager (ILOM)System ManagementHTTPYes7.3NetworkLowNoneNoneUn-
changed		LowLowLowPrior to 3.2.6 
CVE-2017-3588Solaris ClusterHA for MySQLNoneNo7.3LocalLowNoneRequiredUn-
changed		HighHighLow3.3, 4.3 
CVE-2016-7431Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S ServersXCP FirmwareNTPYes5.3NetworkLowNoneNoneUn-
changed		NoneLowNonePrior to XCP2340 and Prior to XCP3030 
CVE-2016-7431SPARC Enterprise M3000, M4000, M5000, M8000, M9000 ServersXCP FirmwareNTPYes5.3NetworkLowNoneNoneUn-
changed		NoneLowNonePrior to XCP1123 
CVE-2017-10275Sun ZFS Storage Appliance Kit (AK)FilesystemNoneNo5.0LocalLowLowRequiredUn-
changed		NoneNoneHighAK 2013 
CVE-2017-10099SPARC M7, T7, S7 based ServersFirmwareNoneNo4.4LocalLowHighNoneUn-
changed		NoneNoneHighPrior to 9.7.6.b 
CVE-2017-10194Oracle Integrated Lights Out Manager (ILOM)System ManagementHTTPNo2.7NetworkLowHighNoneUn-
changed		LowNoneNonePrior to 3.2.6 
 

Additional CVEs addressed are below:

  • The fix for CVE-2016-6304 also addresses CVE-2016-2182, CVE-2016-2183, CVE-2016-6302, CVE-2016-6306, CVE-2016-6515 and CVE-2017-3731
  • The fix for CVE-2016-7431 also addresses CVE-2016-7429 and CVE-2016-7433

 

Appendix - Oracle Supply Chain Products Suite

Oracle Supply Chain Products Suite Executive Summary

This Critical Patch Update contains 7 new security fixes for the Oracle Supply Chain Products Suite.  4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

Oracle Supply Chain Products Suite Risk Matrix

CVE#ProductComponentProtocolRemote
Exploit
without
Auth.?		CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)Supported Versions AffectedNotes
Base
Score		Attack
Vector		Attack
Complex		Privs
Req'd		User
Interact		ScopeConfid-
entiality		Inte-
grity		Avail-
ability
CVE-2015-7501Oracle Agile Engineering Data ManagementInstall (Apache Commons Collections)HTTPNo8.8NetworkLowLowNoneUn-
changed		HighHighHigh6.1.3, 6.2.0 
CVE-2016-3092Oracle Transportation ManagementInstall (Apache Commons FileUpload)HTTPYes7.5NetworkLowNoneNoneUn-
changed		NoneNoneHigh6.4.1, 6.4.2 
CVE-2017-5664Oracle Transportation ManagementInstall (Apache Tomcat)HTTPYes7.5NetworkLowNoneNoneUn-
changed		NoneHighNone6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7 
CVE-2017-3732Oracle Agile Engineering Data ManagementInstall (OpenSSL)HTTPSYes5.9NetworkHighNoneNoneUn-
changed		HighNoneNone6.1.3, 6.2.0 
CVE-2017-10161Oracle Engineering Data ManagementWeb Services SecurityHTTPYes4.8NetworkHighNoneNoneUn-
changed		LowLowNone6.1.3.0, 6.2.2.0 
CVE-2017-10299Oracle Agile PLMSecurityHTTPNo4.3NetworkLowLowNoneUn-
changed		LowNoneNone9.3.5, 9.3.6 
CVE-2017-10308Oracle Agile PLMPerformanceNoneNo3.5PhysicalLowNoneNoneUn-
changed		LowLowNone9.3.5, 9.3.6 
 

Additional CVEs addressed are below:

  • The fix for CVE-2016-3092 also addresses CVE-2013-0248 and CVE-2014-0050
  • The fix for CVE-2017-3732 also addresses CVE-2016-7055, CVE-2017-3730, CVE-2017-3731 and CVE-2017-3733
  • The fix for CVE-2017-5664 also addresses CVE-2016-8735

 

Appendix - Oracle Virtualization

Oracle Virtualization Executive Summary

This Critical Patch Update contains 6 new security fixes for Oracle Virtualization.  2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

Oracle Virtualization Risk Matrix

CVE#ProductComponentProtocolRemote
Exploit
without
Auth.?		CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)Supported Versions AffectedNotes
Base
Score		Attack
Vector		Attack
Complex		Privs
Req'd		User
Interact		ScopeConfid-
entiality		Inte-
grity		Avail-
ability
CVE-2017-3167Oracle Secure Global Desktop (SGD)Web Server (Apache HTTP Server)HTTPYes7.4NetworkHighNoneNoneUn-
changed		HighNoneHigh5.3 
CVE-2017-10392Oracle VM VirtualBoxCoreNoneNo7.3LocalLowHighNoneChangedLowLowHighPrior to 5.1.30 
CVE-2017-10407Oracle VM VirtualBoxCoreNoneNo7.3LocalLowHighNoneChangedLowLowHighPrior to 5.1.30 
CVE-2017-10408Oracle VM VirtualBoxCoreNoneNo7.3LocalLowHighNoneChangedLowLowHighPrior to 5.1.30 
CVE-2017-3733Oracle VM VirtualBoxCore (OpenSSL)TLSYes5.9NetworkHighNoneNoneUn-
changed		HighNoneNonePrior to 5.1.30 
CVE-2017-10428Oracle VM VirtualBoxCoreNoneNo5.0LocalHighHighNoneChangedLowLowLowPrior to 5.1.30 
 

Additional CVEs addressed are below:

  • The fix for CVE-2017-3167 also addresses CVE-2017-3169, CVE-2017-7668, CVE-2017-7679 and CVE-2017-9788
  • The fix for CVE-2017-3733 also addresses CVE-2017-3730, CVE-2017-3731 and CVE-2017-3732
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值