Oracle Critical Patch Update Advisory

Cloud Account Sign in to Cloud Sign Up for Free Cloud Tier

Oracle Account

Oracle Critical Patch Update Advisory - July 2020

Description

A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update Advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security patches. Please refer to:

Critical Patch Updates, Security Alerts and Bulletins for information about Oracle Security advisories.

Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay.

This Critical Patch Update contains 444 new security patches across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at July 2020 Critical Patch Update: Executive Summary and Analysis.

Affected Products and Patch Information

Security vulnerabilities addressed by this Critical Patch Update affect the products listed below. The product area is shown in the Patch Availability Document column.

Please click on the links in the Patch Availability Document column below to access the documentation for patch availability information and installation instructions.

Affected Products and Versions	Patch Availability Document
Category Management Planning & Optimization, version 15.0.3	Retail Applications
Customer Management and Segmentation Foundation, versions 16.0, 17.0, 18.0	Retail Applications
Enterprise Manager Base Platform, versions 12.1.0.5, 13.3.0.0, 13.4.0.0	Enterprise Manager
Enterprise Manager for Fusion Middleware, version 12.1.0.5	Enterprise Manager
Enterprise Manager Ops Center, version 12.4.0.0	Enterprise Manager
GoldenGate Stream Analytics, versions prior to 19.1.0.0.1	Database
Hyperion Financial Close Management, version 11.1.2.4	Fusion Middleware
Instantis EnterpriseTrack, versions 17.1-17.3	Oracle Construction and Engineering Suite
JD Edwards EnterpriseOne Orchestrator, versions prior to 9.2.4.2	JD Edwards
JD Edwards EnterpriseOne Tools, versions prior to 9.2.3.3, prior to 9.2.4.2	JD Edwards
MySQL Client, versions 5.6.48 and prior, 5.7.30 and prior, 8.0.20 and prior	MySQL
MySQL Cluster, versions 7.3.29 and prior, 7.4.28 and prior, 7.5.18 and prior, 7.6.14 and prior, 8.0.20 and prior	MySQL
MySQL Connectors, versions 8.0.20 and prior	MySQL
MySQL Enterprise Monitor, versions 4.0.12 and prior, 8.0.20 and prior	MySQL
MySQL Server, versions 5.6.48 and prior, 5.7.30 and prior, 8.0.20 and prior	MySQL
Oracle Agile Engineering Data Management, version 6.2.1.0	Oracle Supply Chain Products
Oracle Application Express, versions 5.1-19.2	Database
Oracle Application Testing Suite, versions 13.2.0.1, 13.3.0.1	Enterprise Manager
Oracle AutoVue, version 21.0	Oracle Supply Chain Products
Oracle Banking Enterprise Collections, versions 2.7.0-2.9.0	Oracle Banking Platform
Oracle Banking Payments, versions 14.1.0-14.4.0	Oracle Financial Services Applications
Oracle Banking Platform, versions 2.4.0-2.10.0	Oracle Banking Platform
Oracle Berkeley DB, versions prior to 6.1.38, prior to 18.1.40	Berkeley DB
Oracle BI Publisher, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Business Intelligence Enterprise Edition, versions 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Business Process Management Suite, versions 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Coherence, versions 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0	Fusion Middleware
Oracle Commerce Guided Search / Oracle Commerce Experience Manager, versions 11.0, 11.1, 11.2, prior to 11.3.1	Oracle Commerce
Oracle Commerce Platform, versions 11.1, 11.2, prior to 11.3.1	Oracle Commerce
Oracle Commerce Service Center, versions 11.1, 11.2, prior to 11.3.1	Oracle Commerce
Oracle Communications Analytics, version 12.1.1	Oracle Communications Analytics
Oracle Communications Billing and Revenue Management, versions 7.5.0.23.0, 12.0.0.3.0	Oracle Communications Billing and Revenue Management
Oracle Communications BRM - Elastic Charging Engine, versions 11.3, 12.0	Oracle Communications BRM - Elastic Charging Engine
Oracle Communications Contacts Server, version 8.0.0.4.0	Oracle Communications Contacts Server
Oracle Communications Convergence, versions 3.0.1.0-3.0.2.1	Oracle Communications Convergence
Oracle Communications Diameter Signaling Router (DSR), versions 8.0-8.4	Oracle Communications Diameter Signaling Router
Oracle Communications Element Manager, versions 8.1.1, 8.2.0, 8.2.1	Oracle Communications Element Manager
Oracle Communications Evolved Communications Application Server, version 7.1	Oracle Communications Evolved Communications Application Server
Oracle Communications Instant Messaging Server, version 10.0.1.4.0	Oracle Communications Instant Messaging Server
Oracle Communications Interactive Session Recorder, versions 6.1-6.4	Oracle Communications Interactive Session Recorder
Oracle Communications IP Service Activator, versions 7.3.0, 7.4.0	Oracle Communications IP Service Activator
Oracle Communications LSMS, versions 13.0-13.3	Oracle Communications LSMS
Oracle Communications Messaging Server, versions 8.0.2, 8.1.0	Oracle Communications Messaging Server
Oracle Communications MetaSolv Solution, version 6.3.0	Oracle Communications MetaSolv Solution
Oracle Communications Network Charging and Control, versions 6.0.1, 12.0.0-12.0.3	Oracle Communications Network Charging and Control
Oracle Communications Network Integrity, versions 7.3.2-7.3.6	Oracle Communications Network Integrity
Oracle Communications Operations Monitor, versions 3.4, 4.1-4.3	Oracle Communications Operations Monitor
Oracle Communications Order and Service Management, versions 7.3, 7.4	Oracle Communications Order and Service Management
Oracle Communications Services Gatekeeper, versions 6.0, 6.1, 7.0	Oracle Communications Services Gatekeeper
Oracle Communications Session Border Controller, versions 8.1.0, 8.2.0, 8.3.0	Oracle Communications Session Border Controller
Oracle Communications Session Report Manager, versions 8.1.1, 8.2.0, 8.2.1	Oracle Communications Session Report Manager
Oracle Communications Session Route Manager, versions 8.1.1, 8.2.0, 8.2.1	Oracle Communications Session Route Manager
Oracle Configuration Manager, version 12.1.2.0.6	Enterprise Manager
Oracle Configurator, versions 12.1, 12.2	Oracle Supply Chain Products
Oracle Data Masking and Subsetting, versions 13.3.0.0, 13.4.0.0	Enterprise Manager
Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c, [Spatial Studio] prior to 19.2.1	Database
Oracle E-Business Suite, versions 12.1.1-12.1.3, 12.2.3-12.2.9	E-Business Suite
Oracle Endeca Information Discovery Studio, version 3.2.0	Fusion Middleware
Oracle Enterprise Communications Broker, versions 3.0.0-3.2.0	Oracle Enterprise Communications Broker
Oracle Enterprise Repository, version 11.1.1.7.0	Fusion Middleware
Oracle Enterprise Session Border Controller, versions 8.1.0, 8.2.0, 8.3.0	Oracle Enterprise Session Border Controller
Oracle Financial Services Analytical Applications Infrastructure, versions 8.0.6-8.1.0	Oracle Financial Services Analytical Applications Infrastructure
Oracle Financial Services Compliance Regulatory Reporting, versions 8.0.6-8.0.8	Oracle Financial Services Compliance Regulatory Reporting
Oracle Financial Services Lending and Leasing, versions 12.5.0, 14.1.0-14.8.0	Oracle Financial Services Applications
Oracle Financial Services Liquidity Risk Management, version 8.0.6	Oracle Financial Services Liquidity Risk Management
Oracle Financial Services Loan Loss Forecasting and Provisioning, versions 8.0.6-8.0.8	Oracle Financial Services Loan Loss Forecasting and Provisioning
Oracle Financial Services Market Risk Measurement and Management, versions 8.0.6, 8.0.8	Oracle Financial Services Market Risk Measurement and Management
Oracle Financial Services Regulatory Reporting for De Nederlandsche Bank, version 8.0.4	Oracle Financial Services Regulatory Reporting for De Nederlandsche Bank
Oracle FLEXCUBE Investor Servicing, versions 12.1.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0	Oracle Financial Services Applications
Oracle FLEXCUBE Private Banking, versions 12.0.0, 12.1.0	Oracle Financial Services Applications
Oracle Fusion Middleware MapViewer, versions 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Global Lifecycle Management/OPatch, versions prior to 12.2.0.1.20	Global Lifecycle Management
Oracle GoldenGate, versions prior to 19.1.0.0.0	Database
Oracle GraalVM Enterprise Edition, versions 19.3.2, 20.1.0	Oracle GraalVM Enterprise Edition
Oracle Health Sciences Empirica Inspections, version 1.0.1.2	Health Sciences
Oracle Health Sciences Empirica Signal, version 7.3.3	Health Sciences
Oracle Healthcare Master Person Index, version 4.0.2	Health Sciences
Oracle Healthcare Translational Research, versions 3.2.1, 3.3.1, 3.3.2, 3.4.0	Health Sciences
Oracle Help Technologies, versions 11.1.1.9.0, 12.2.1.3.0	Fusion Middleware
Oracle Hospitality Guest Access, versions 4.2.0, 4.2.1	Oracle Hospitality Guest Access
Oracle Hospitality Reporting and Analytics, version 9.1.0	Oracle Hospitality Reporting and Analytics
Oracle Hyperion BI+, version 11.1.2.4	Fusion Middleware
Oracle iLearning, versions 6.1, 6.1.1	iLearning
Oracle Insurance Accounting Analyzer, versions 8.0.6-8.0.9	Oracle Insurance Accounting Analyzer
Oracle Insurance Data Gateway, version 1.0	Oracle Insurance Applications
Oracle Insurance Policy Administration J2EE, versions 10.2.0, 10.2.4, 11.0.2, 11.1.0, 11.2.0	Oracle Insurance Applications
Oracle Insurance Rules Palette, versions 10.2.0, 10.2.4, 11.0.2, 11.1.0, 11.2.0	Oracle Insurance Applications
Oracle Java SE, versions 7u261, 8u251, 11.0.7, 14.0.1	Java SE
Oracle Java SE Embedded, version 8u251	Java SE
Oracle Outside In Technology, versions 8.5.4, 8.5.5	Fusion Middleware
Oracle Rapid Planning, versions 12.1, 12.2	Oracle Supply Chain Products
Oracle Real User Experience Insight, version 13.3.1.0	Enterprise Manager
Oracle Retail Assortment Planning, versions 15.0, 15.0.3, 16.0, 16.0.3	Retail Applications
Oracle Retail Bulk Data Integration, versions 15.0, 16.0	Retail Applications
Oracle Retail Customer Management and Segmentation Foundation, version 18.0	Retail Applications
Oracle Retail Data Extractor for Merchandising, versions 1.9, 1.10, 18.0	Retail Applications
Oracle Retail Extract Transform and Load, version 19.0	Retail Applications
Oracle Retail Financial Integration, versions 15.0, 16.0	Retail Applications
Oracle Retail Fusion Platform, version 5.5	Retail Applications
Oracle Retail Integration Bus, versions 15.0, 15.0.3, 16.0, 16.0.3	Retail Applications
Oracle Retail Invoice Matching, version 16.0	Retail Applications
Oracle Retail Item Planning, version 15.0.3	Retail Applications
Oracle Retail Macro Space Optimization, version 15.0.3	Retail Applications
Oracle Retail Merchandise Financial Planning, version 15.0.3	Retail Applications
Oracle Retail Merchandising System, versions 15.0.3, 16.0.2, 16.0.3	Retail Applications
Oracle Retail Order Broker, version 15.0	Retail Applications
Oracle Retail Predictive Application Server, versions 14.0.3, 14.1.3, 15.0.3, 16.0.3	Retail Applications
Oracle Retail Regular Price Optimization, versions 15.0.3, 16.0.3	Retail Applications
Oracle Retail Replenishment Optimization, version 15.0.3	Retail Applications
Oracle Retail Sales Audit, version 14.1	Retail Applications
Oracle Retail Service Backbone, versions 14.1, 15.0, 16.0	Retail Applications
Oracle Retail Size Profile Optimization, version 15.0.3	Retail Applications
Oracle Retail Store Inventory Management, versions 14.0.4, 14.1.3, 15.0.3, 16.0.3	Retail Applications
Oracle Retail Xstore Point of Service, versions 7.1, 15.0, 16.0, 17.0, 18.0, 19.0	Retail Applications
Oracle SD-WAN Aware, versions 8.0, 8.1, 8.2	Oracle SD-WAN Aware
Oracle SD-WAN Edge, versions 8.0, 8.1, 8.2, 9.0	Oracle SD-WAN Edge
Oracle Security Service, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Solaris, version 11	Systems
Oracle TimesTen In-Memory Database, versions prior to 18.1.2.1.0	Database
Oracle Transportation Management, versions 6.3.7, 6.4.3	Oracle Supply Chain Products
Oracle Unified Directory, versions 11.1.2.3.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Utilities Framework, versions 4.3.0.5.0, 4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0	Oracle Utilities Applications
Oracle VM VirtualBox, versions prior to 5.2.44, prior to 6.0.24, prior to 6.1.12	Virtualization
Oracle WebCenter Portal, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle WebCenter Sites, versions 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0	Fusion Middleware
Oracle ZFS Storage Appliance Kit, version 8.8	Systems
PeopleSoft Enterprise FIN Expenses, version 9.2	PeopleSoft
PeopleSoft Enterprise HCM Global Payroll Switzerland, version 9.2	PeopleSoft
PeopleSoft Enterprise HRMS, version 9.2	PeopleSoft
PeopleSoft Enterprise PeopleTools, versions 8.56, 8.57, 8.58	PeopleSoft
Primavera Gateway, versions 16.2.0-16.2.11, 17.12.0-17.12.7, 18.8.0-18.8.9, 19.12.0-19.12.4	Oracle Construction and Engineering Suite
Primavera P6 Enterprise Project Portfolio Management, versions 16.1.0.0-16.2.20.1, 17.1.0.0-17.12.17.1, 18.1.0.0-18.8.19, 19.12.0-19.12.6	Oracle Construction and Engineering Suite
Primavera Portfolio Management, versions 16.1.0.0-16.1.5.1, 18.0.0.0-18.0.2.0, 19.0.0.0	Oracle Construction and Engineering Suite
Primavera Unifier, versions 16.1, 16.2, 17.7-17.12, 18.8, 19.12, [Mobile App] prior to 20.6	Oracle Construction and Engineering Suite
Siebel Applications, versions 2.20.5 and prior, 20.6 and prior	Siebel

Note:

Vulnerabilities affecting either Oracle Database or Oracle Fusion Middleware may affect Oracle Fusion Applications, so Oracle customers should refer to Oracle Fusion Applications Critical Patch Update Knowledge Document, My Oracle Support Note 1967316.1 for information on patches to be applied to Fusion Application environments.
Vulnerabilities affecting Oracle Solaris may affect Oracle ZFSSA so Oracle customers should refer to the Oracle and Sun Systems Product Suite Critical Patch Update Knowledge Document, My Oracle Support Note 2160904.1 for information on minimum revisions of security patches required to resolve ZFSSA issues published in Critical Patch Updates and Solaris Third Party bulletins.
Solaris Third Party Bulletins are used to announce security patches for third party software distributed with Oracle Solaris. Solaris 10 customers should refer to the latest patch-sets which contain critical security fixes and detailed in Systems Patch Availability Document. Please see Reference Index of CVE IDs and Solaris Patches (My Oracle Support Note 1448883.1) for more information.
Users running Java SE with a browser can download the latest release from https://java.com. Users on the Windows and Mac OS X platforms can also use automatic updates to get the latest release.

Risk Matrix Content

Risk matrices list only security vulnerabilities that are newly addressed by the patches associated with this advisory. Risk matrices for previous security patches can be found in previous Critical Patch Update advisories and Alerts. An English text version of the risk matrices provided in this document is here.

Several vulnerabilities addressed in this Critical Patch Update affect multiple products. Each vulnerability is identified by a CVE# which is its unique identifier. A vulnerability that affects multiple products will appear with the same CVE# in all risk matrices. A CVE# shown in italics indicates that this vulnerability impacts a different product, but also has impact on the product where the italicized CVE# is listed.

Security vulnerabilities are scored using CVSS version 3.1 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS version 3.1).

Oracle conducts an analysis of each security vulnerability addressed by a Critical Patch Update. Oracle does not disclose detailed information about this security analysis to customers, but the resulting Risk Matrix and associated documentation provide information about the type of vulnerability, the conditions required to exploit it, and the potential impact of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage. For more information, see Oracle vulnerability disclosure policies.

The protocol in the risk matrix implies that all of its secure variants (if applicable) are affected as well. For example, if HTTP is listed as an affected protocol, it implies that HTTPS (if applicable) is also affected. The secure variant of a protocol is listed in the risk matrix only if it is the only variant affected, e.g. HTTPS will typically be listed for vulnerabilities in SSL and TLS.

Workarounds

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update security patches as soon as possible. Until you apply the Critical Patch Update patches, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem.

Skipped Critical Patch Updates

Oracle strongly recommends that customers apply security patches as soon as possible. For customers that have skipped one or more Critical Patch Updates and are concerned about products that do not have security patches announced in this Critical Patch Update, please review previous Critical Patch Update advisories to determine appropriate actions.

Critical Patch Update Supported Products and Versions

Patches released through the Critical Patch Update program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. Oracle recommends that customers plan product upgrades to ensure that patches released through the Critical Patch Update program are available for the versions they are currently running.

Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Critical Patch Update. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.

Database, Fusion Middleware, and Oracle Enterprise Manager products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.

Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Critical Patch Update to Oracle:

Abdullah Alzahrani: CVE-2020-14554, CVE-2020-14635
Alessandro Bosco of TIM S.p.A: CVE-2020-14690
Alexander Kornbrust of Red Database Security: CVE-2020-2984
Alves Christopher (Telecom Nancy): CVE-2020-14550, CVE-2020-14553, CVE-2020-14623
Ammarit Thongthua of Secure D Center Cybersecurity Team: CVE-2020-14558, CVE-2020-14564
Andrej Simko of Accenture: CVE-2020-14534, CVE-2020-14555, CVE-2020-14590, CVE-2020-14657, CVE-2020-14658, CVE-2020-14659, CVE-2020-14660, CVE-2020-14661, CVE-2020-14665, CVE-2020-14666, CVE-2020-14667, CVE-2020-14679, CVE-2020-14688
Antonin B. of NCIA / NCSC: CVE-2020-14610
Arseniy Sharoglazov of Positive Technologies: CVE-2020-14622
Artur Wojtkowski and CQURE Team: CVE-2020-14617, CVE-2020-14618
Billy Cody of Context Information Security: CVE-2020-14595
Bui Duong from Viettel Cyber Security: CVE-2020-14611
CERT/CC: CVE-2020-14558
Chathura Abeydeera of Deloitte Risk Advisory Pty Ltd: CVE-2020-14531
Chi Tran: CVE-2020-14534, CVE-2020-14716, CVE-2020-14717
Conor McErlane working with Trend Micro's Zero Day Initiative: CVE-2020-14628
Damian Bury: CVE-2020-14546
Edoardo Predieri of TIM S.p.A: CVE-2020-14690
Emad Al-Mousa of Saudi Aramco: CVE-2020-2969, CVE-2020-2978
Fabio Minarelli of TIM S.p.A: CVE-2020-14690
Filip Ceglik: CVE-2020-14560, CVE-2020-14565
Forum Bhayani: CVE-2020-14592
Francesco Russo of TIM S.p.A: CVE-2020-14690
Giovanni Delvecchio of Almaviva Security Assessment Team: CVE-2020-14607, CVE-2020-14608
Hangfan Zhang: CVE-2020-14575, CVE-2020-14654
Hugo Santiago dos Santos: CVE-2020-14613
Johannes Kuhn: CVE-2020-14556
Julien Zhan (Telecom Nancy): CVE-2020-14550, CVE-2020-14553, CVE-2020-14623
kdot working with Trend Micro Zero Day Initiative: CVE-2020-14664
Khuyen Nguyen of secgit.com: CVE-2020-14668, CVE-2020-14669, CVE-2020-14670, CVE-2020-14671, CVE-2020-14681, CVE-2020-14682, CVE-2020-14686
Kingkk: CVE-2020-14642, CVE-2020-14644
Kritsada Sunthornwutthikrai of Secure D Center Cybersecurity Team: CVE-2020-14558, CVE-2020-14564
Larry W. Cashdollar: CVE-2020-14724
Lionel Debroux: CVE-2020-2981
Luca Di Giuseppe of TIM S.p.A: CVE-2020-14690
Lucas Leong of Trend Micro Zero Day Initiative: CVE-2020-14646, CVE-2020-14647, CVE-2020-14648, CVE-2020-14649, CVE-2020-14650, CVE-2020-14673, CVE-2020-14674, CVE-2020-14694, CVE-2020-14695, CVE-2020-14703, CVE-2020-14704
lufei of Tencent Force: CVE-2020-14645
Lukas Braune of Siemens: CVE-2019-8457
Lukasz Mikula: CVE-2020-14541
Lukasz Rupala of ING Tech Poland: CVE-2020-14552
Maoxin Lin of Dbappsecurity Team: CVE-2020-14645, CVE-2020-14652
Marco Marsala: CVE-2020-14559
Markus Loewe: CVE-2020-14583
Markus Wulftange of Code White GmbH: CVE-2020-14644, CVE-2020-14645, CVE-2020-14687
Massimiliano Brolli of TIM S.p.A: CVE-2020-14690
Mateusz Dabrowski: CVE-2020-14584, CVE-2020-14585
Maxime Escourbiac of Michelin CERT: CVE-2020-14719, CVE-2020-14720
Mohamed Fadel: CVE-2020-14601, CVE-2020-14602, CVE-2020-14603, CVE-2020-14604, CVE-2020-14605
Ntears of Chaitin Security Team: CVE-2020-14645, CVE-2020-14652
Owais Zaman of Sabic: CVE-2020-14551
Pavel Cheremushkin: CVE-2020-14713
Philippe Antoine (Telecom Nancy): CVE-2020-14550, CVE-2020-14553, CVE-2020-14623
Philippe Arteau of GoSecure: CVE-2020-14577
Preeyakorn Keadsai of Secure D Center Cybersecurity Team: CVE-2020-14558, CVE-2020-14564
Przemyslaw Nowakowski: CVE-2020-2977
Quynh Le of VNPT ISC working with Trend Micro Zero Day Initiative: CVE-2020-14625
r00t4dm from A-TEAM of Legendsec at Qi'anxin Group: CVE-2020-14636, CVE-2020-14637, CVE-2020-14638, CVE-2020-14639, CVE-2020-14640, CVE-2020-14645, CVE-2020-14652
Reno Robert working with Trend Micro Zero Day Initiative: CVE-2020-14629, CVE-2020-14675, CVE-2020-14676, CVE-2020-14677
Roberto Suggi Liverani of NCIA / NCSC: CVE-2020-14610
Roger Meyer: CVE-2020-2513, CVE-2020-2971, CVE-2020-2972, CVE-2020-2973, CVE-2020-2974, CVE-2020-2975, CVE-2020-2976
Roman Shemyakin: CVE-2020-14621
Rui Zhong: CVE-2020-14575, CVE-2020-14654
Saeed Shiravi: CVE-2020-14548
Shimizu Kawasaki of Asiainfo-sec of CSS Group: CVE-2020-14645, CVE-2020-14652
Spyridon Chatzimichail of OTE Hellenic Telecommunications Organization S.A.: CVE-2020-14532, CVE-2020-14533
Suthum Thitiananpakorn: CVE-2020-14569
Ted Raffle of rapid7.com: CVE-2020-14535, CVE-2020-14536
Tomasz Stachowicz: CVE-2020-14570, CVE-2020-14571
Trung Le: CVE-2020-14534, CVE-2020-14716, CVE-2020-14717
Tuan Anh Nguyen of Viettel Cyber Security: CVE-2020-14598, CVE-2020-14599
Vijayakumar Muniraj of CybersecurityWorks Research Labs: CVE-2020-14723
Yaoguang Chen of Ant-financial Light-Year Security Lab: CVE-2020-14654, CVE-2020-14725
Yongheng Chen: CVE-2020-14575, CVE-2020-14654
ZeddYu Lu of StarCross Tech: CVE-2020-14588, CVE-2020-14589
Zhao Xin Jun: CVE-2020-14652
Zhongcheng Li (CK01) from Zero-dayits Team of Legendsec at Qi'anxin Group: CVE-2020-14711, CVE-2020-14712
Ziming Zhang from Codesafe Team of Legendsec at Qi'anxin Group: CVE-2020-14707, CVE-2020-14714, CVE-2020-14715
Ziming Zhang from Codesafe Team of Legendsec at Qi'anxin Group working with Trend Micro Zero Day Initiative: CVE-2020-14698, CVE-2020-14699, CVE-2020-14700
Zouhair Janatil-Idrissi (Telecom Nancy): CVE-2020-14550, CVE-2020-14553, CVE-2020-14623

Security-In-Depth Contributors

Oracle acknowledges people who have contributed to our Security-In-Depth program (see FAQ). People are acknowledged for Security-In-Depth contributions if they provide information, observations or suggestions pertaining to security vulnerability issues that result in significant modification of Oracle code or documentation in future releases, but are not of such a critical nature that they are distributed in Critical Patch Updates.

In this Critical Patch Update, Oracle recognizes the following for contributions to Oracle's Security-In-Depth program.:

Alexander Kornbrust of Red Database Security [10 reports]
Cao Linhong of Sangfor Furthereye Security Team
Chi Tran [2 reports]
Fatih Çelik
James Nichols of 80/20 Labs
lufei of Tencent Force
Maoxin Lin of Dbappsecurity Team
Marc Fielding of Google
Markus Loewe [2 reports]
r00t4dm from A-TEAM of Legendsec at Qi'anxin Group
Ryan Gerstenkorn
Saeid Tizpaz Niari
Shimizu Kawasaki of Asiainfo-sec of CSS Group
Trung Le [2 reports]
Venustech ADLab
Yu Wang of BMH Security Team [2 reports]

On-Line Presence Security Contributors

Oracle acknowledges people who have contributed to our On-Line Presence Security program (see FAQ). People are acknowledged for contributions relating to Oracle's on-line presence if they provide information, observations or suggestions pertaining to security-related issues that result in significant modification to Oracle's on-line external-facing systems.

For this quarter, Oracle recognizes the following for contributions to Oracle's On-Line Presence Security program:

0xd0ff9 aka Bao Bui
1ZRR4H aka Germán Fernández
@ngkogkos hunt4p1zza
Abdulkadir Mutlu
Abdullah Mohamed
Abhinav P
Aditra Andri Laksana
Ahmed Moustafa
Alfie Njeru (emenalf)
Aman Deep Singh Chawla
Anas Rahmani
Anat Bremler-Barr
Anis Azzi
Anon Venus
Ansar Uddin Anan
Ben Passmore
Celal Erdik of Ebruu Tech Limited
Chirag Prajapati
Dave Altena
Dhamu Harker
Dhiral Patel
Dhiren Kumar Pradhan
Elmonzer Kamaleldin of Monzer Kamal
HackersEra VMS [2 reports]
Hamza Megahed
Harpreet Singh of Pyramid Cyber Security & Forensic Pvt Ltd
Harry The DevOps Guy
Ilyas Orak
Jagdish Bharucha
Jatin Saini
Jeremy Lindsey of Burns & McDonnell [2 reports]
Jin DanLong
Josue Acevedo Maldonado
Ken Nevers
Kishore Hariram [2 reports]
Last Light [2 reports]
Lior Shafir
Luciano Anezin
Maayan Amid of Orca Security
Magrabur Alam Sofily
Matthijs R. Koot [2 reports]
Mayur Gupta
Meridian Miftari
Moaied Nagi Hassan (Moonlight)
Mohit Khemchandani
Muhammad Abdullah
Naveen Kumar
Ome Mishra
Prathmesh Lalingkar
Pratish Bhansali
Prince Achillies
Pritam Mukherjee
Rajesh Patil
Raphael Karger
Ricardo Iramar dos Santos
Ridvan Erbas
Roger Meyer
rootme34
Russell Muetzelfeldt of Flybuys
Saad Zitouni
Sajid Ali
Sam Jadali
Sarath Kumar (Kadavul)
Saurabh Dilip Mhatre
Severus of VietSunshine Security Engineering Team
Shailesh Kumar
Shubham Khadgi
Sipke Mellema
Siva Pathela
Smii Mondher
Srinivas M
Tinu Tomy
Tony Marcel Nasr [2 reports]
Tuatnh
Tushar Bhardwaj
Ujjwal Tyagi
Valentin Virtejanu of Lifespan
Victor Gevers
Viet Nguyen [2 reports]
Virendra Tiwari
Vishal Ajwani
Vlad Staricin
Yehuda Afek
Youssef A. Mohamed aka GeneralEG
Zubin

Critical Patch Update Schedule

Critical Patch Updates are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

20 October 2020
19 January 2021
20 April 2021
20 July 2021

References

Modification History

Date	Note
2020-December-1	Rev 8. Updated CVSS score of CVE-2020-14564.
2020-August-31	Rev 7. Credit Statement Update.
2020-August-3	Rev 6. Credit Statement Update.
2020-July-27	Rev 5. Credit Statement Update.
2020-July-24	Rev 4. Affected version number changes to CVE-2020-14701 & CVE-2020-14606
2020-July-23	Rev 3. Added entry for CVE-2020-14725 in MySQL Risk Matrix. The fix was included in patches already released but was inadvertently not documented.
2020-July-20	Rev 2. Credit Statement Update.
2020-July-14	Rev 1. Initial Release.

Oracle Database Products Risk Matrices

This Critical Patch Update contains 27 new security patches for the Oracle Database Products divided as follows:

19 new security patches for Oracle Database Server.
3 new security patches for Oracle Berkeley DB.
1 new security patch for Oracle Global Lifecycle Management.
3 new security patches for Oracle GoldenGate.
1 new security patch for Oracle TimesTen In-Memory Database.

Oracle Database Server Risk Matrix

This Critical Patch Update contains 19 new security patches for the Oracle Database Server. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these patches are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.

CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2016-1000031	MapViewer (Apache Commons FileUpload)	Valid User Account	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	12.2.0.1, 18c, 19c	See Note 1
CVE-2020-2968	Java VM	Create Session, Create Procedure	Multiple	No	8.0	Network	High	Low	Required	Changed	High	High	High	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2016-9843	Core RDBMS (zlib)	Create Session	Oracle Net	No	7.2	Network	Low	High	None	Un- changed	High	High	High	18c
CVE-2020-2969	Data Pump	DBA role account	Oracle Net	No	6.6	Network	High	High	None	Un- changed	High	High	High	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2020-8112	GeoRaster (OpenJPG)	Create Session	Oracle Net	No	5.7	Network	Low	Low	Required	Un- changed	None	None	High	18c
CVE-2020-2513	Oracle Application Express	SQL Workshop	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	5.1-19.2
CVE-2020-2971	Oracle Application Express	SQL Workshop	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	5.1-19.2
CVE-2020-2972	Oracle Application Express	SQL Workshop	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	5.1-19.2
CVE-2020-2973	Oracle Application Express	SQL Workshop	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	5.1-19.2
CVE-2020-2974	Oracle Application Express	SQL Workshop	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	5.1-19.2
CVE-2020-2976	Oracle Application Express	SQL Workshop	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	5.1-19.2
CVE-2020-2975	Oracle Application Express	SQL Workshop	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	5.1-19.2
CVE-2019-17569	Workload Manager (Apache Tomcat)	None	HTTP	Yes	4.8	Network	High	None	None	Un- changed	Low	Low	None	12.2.0.1, 18c, 19c
CVE-2020-2977	Oracle Application Express	Valid User Account	HTTP	No	4.6	Network	Low	Low	Required	Un- changed	Low	Low	None	5.1-19.2
CVE-2020-2978	Oracle Database - Enterprise Edition	DBA role account	Oracle Net	No	4.1	Network	Low	High	None	Changed	None	Low	None	12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2019-13990	MapViewer (Terracotta Quartz Scheduler, Apache Batik, Google Guava)	Local Logon	None	No	0.0	Local	Low	Low	Required	Un- changed	None	None	None	12.2.0.1, 18c, 19c	See Note 2
CVE-2018-18314	Oracle Database (Perl)	Local Logon	None	No	0.0	Local	High	High	None	Un- changed	None	None	None	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c	See Note 3
CVE-2019-10086	Spatial Studio (Apache Commons Beanutils)	Local Logon	None	No	0.0	Local	Low	Low	None	Un- changed	None	None	None	Spatial Studio: Prior to 19.2.1	See Note 4
CVE-2019-16943	TFA (jackson-databind)	Local Logon	None	No	0.0	Local	High	High	None	Un- changed	None	None	None	12.2.0.1, 18c, 19c	See Note 5

Notes:

MapViewer is not deployed with a default installation. To use MapViewer the customer needs to re-deploy MapViewer EAR file into Oracle WebLogic Server.
The CVE-2019-13990 and other CVEs listed for this patch are not exploitable in the context of Oracle Spatial and Graph MapViewer product, thus the CVSS score is 0.0.
None of the CVEs listed against this row are exploitable in the context of Oracle Database, thus the CVSS score is 0.0.
The CVE-2019-10086 is not exploitable in the context of Oracle Spatial Studio product, thus the CVSS score is 0.0.
The CVE-2019-16943 and additional CVEs addressed by this patch are not exploitable in the context of Oracle TFA, thus the CVSS score for TFA patch for this issue is is 0.0.

Additional CVEs addressed are below:

The patch for CVE-2016-9843 also addresses CVE-2016-9840, CVE-2016-9841 and CVE-2016-9842.
The patch for CVE-2018-18314 also addresses CVE-2015-8607, CVE-2015-8608, CVE-2016-2381, CVE-2017-12814, CVE-2017-12837, CVE-2017-12883, CVE-2018-12015, CVE-2018-18311, CVE-2018-18312, CVE-2018-18313, CVE-2018-6797, CVE-2018-6798 and CVE-2018-6913.
The patch for CVE-2019-13990 also addresses CVE-2018-10237 and CVE-2018-8013.
The patch for CVE-2019-16943 also addresses CVE-2019-16942 and CVE-2019-17531.
The patch for CVE-2019-17569 also addresses CVE-2020-1935 and CVE-2020-1938.
The patch for CVE-2020-8112 also addresses CVE-2016-1923, CVE-2016-1924, CVE-2016-3183, CVE-2016-4796, CVE-2016-4797, CVE-2016-8332, CVE-2016-9112 and CVE-2020-6851.

Oracle Berkeley DB Risk Matrix

This Critical Patch Update contains 3 new security patches for Oracle Berkeley DB. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-10140	Data Store	None	None	No	7.3	Local	Low	Low	Required	Un- changed	High	High	High	Prior to 6.1.38
CVE-2020-2981	Data Store	None	None	No	7.0	Local	High	None	Required	Un- changed	High	High	High	Prior to 18.1.40
CVE-2019-8457	Data Store (SQLite)	None	TCP	No	0.0	Network	Low	None	Required	Un- changed	None	None	None	Prior to 18.1.40	See Note 1

Notes:

The CVE-2019-8457 is not exploitable in the context of Oracle Berkeley DB product, thus the CVSS score is 0.0.

Oracle Global Lifecycle Management Risk Matrix

This Critical Patch Update contains 1 new security patch for Oracle Global Lifecycle Management. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-9546	Oracle Global Lifecycle Management/OPatch	Patch Installer (jackson-databind)	None	No	0.0	Local	Low	Low	None	Un- changed	None	None	None	Prior to 12.2.0.1.20	See Note 1

Notes:

None of the CVEs listed against this row are exploitable in the Oracle Global Lifecycle Management product, thus the CVSS score is 0.0.

Additional CVEs addressed are below:

The patch for CVE-2020-9546 also addresses CVE-2019-16943, CVE-2020-10650, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-11619, CVE-2020-11620, CVE-2020-9547 and CVE-2020-9548.

Oracle GoldenGate Risk Matrix

This Critical Patch Update contains 3 new security patches for Oracle GoldenGate. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-14705	Oracle GoldenGate	Process Management	TCP	Yes	9.6	Adjacent Network	Low	None	None	Changed	High	High	High	Prior to 19.1.0.0.0
CVE-2019-0222	GoldenGate Stream Analytics	Security (ActiveMQ)	TCP	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	Prior to 19.1.0.0.1
CVE-2019-14379	GoldenGate Stream Analytics	Security / Application Adapters (jackson-databind, SLF4J, ZooKeeper, Apache Spark)	None	No	0.0	Local	Low	Low	None	Un- changed	None	None	None	Prior to 19.1.0.0.1	See Note 1

Notes:

CVE-2019-14379 and other CVEs addressed by these patches are not exploitable in the Oracle GoldenGate product, thus the CVSS score is 0.0.

Additional CVEs addressed are below:

The patch for CVE-2019-14379 also addresses CVE-2016-5017, CVE-2017-5637, CVE-2018-17190, CVE-2018-8012, CVE-2018-8088, CVE-2019-0201, CVE-2019-12086, CVE-2019-12384, CVE-2019-12814, CVE-2019-14439 and CVE-2019-14893.

Oracle TimesTen In-Memory Database Risk Matrix

This Critical Patch Update contains 1 new security patch for Oracle TimesTen In-Memory Database. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-18314	Oracle TimesTen In-Memory Database	Doc, EM Plug-in (Perl)	OracleNet	No	0.0	Network	Low	Low	None	Un- changed	None	None	None	Prior to 18.1.2.1.0	See Note 1

Notes:

None of the CVEs listed against this row are exploitable in the context of Oracle Database, thus the CVSS score is 0.0.

Additional CVEs addressed are below:

The patch for CVE-2018-18314 also addresses CVE-2015-8607, CVE-2015-8608, CVE-2016-2381, CVE-2017-12814, CVE-2017-12837, CVE-2017-12883, CVE-2018-12015, CVE-2018-18311, CVE-2018-18312, CVE-2018-18313, CVE-2018-6797, CVE-2018-6798 and CVE-2018-6913.

Oracle Commerce Risk Matrix

This Critical Patch Update contains 4 new security patches for Oracle Commerce. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-14536	Oracle Commerce Guided Search / Oracle Commerce Experience Manager	Workbench	HTTP	Yes	7.4	Network	High	None	None	Un- changed	High	High	None	11.0, 11.1, 11.2, prior to 11.3.1
CVE-2020-14535	Oracle Commerce Service Center	Commerce Service Center	HTTP	Yes	7.4	Network	High	None	None	Un- changed	High	High	None	11.1, 11.2, prior to 11.3.1
CVE-2020-14532	Oracle Commerce Platform	Dynamo Application Framework	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	11.1, 11.2, prior to 11.3.1
CVE-2020-14533	Oracle Commerce Platform	Dynamo Application Framework	HTTP	No	3.5	Network	Low	High	Required	Un- changed	Low	Low	None	11.1, 11.2, prior to 11.3.1

Oracle Communications Applications Risk Matrix

This Critical Patch Update contains 60 new security patches for Oracle Communications Applications. 46 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-14701	Oracle SD-WAN Aware	User Interface	HTTP	Yes	10.0	Network	Low	None	None	Changed	High	High	High	8.0, 8.1, 8.2
CVE-2020-14606	Oracle SD-WAN Edge	User Interface	HTTP	Yes	10.0	Network	Low	None	None	Changed	High	High	High	8.0, 8.1, 8.2, 9.0
CVE-2018-11058	Oracle Communications Analytics	Platform (RSA BSAFE)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1.1
CVE-2019-16943	Oracle Communications Billing and Revenue Management	Business Operation Center, Billing Care (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	7.5.0.23.0, 12.0.0.3.0
CVE-2016-1000031	Oracle Communications Contacts Server	Core (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.0.4.0
CVE-2020-9546	Oracle Communications Contacts Server	Core (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.0.4.0
CVE-2020-1938	Oracle Communications Element Manager	Core (Apache Tomcat)	Apache JServ Protocol (AJP)	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.1.1, 8.2.0, 8.2.1
CVE-2020-9546	Oracle Communications Evolved Communications Application Server	Session Design Center, Universal Data Recorder (jackson-databind)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	7.1
CVE-2020-1938	Oracle Communications Instant Messaging Server	Installation (Apache Tomcat)	Apache JServ Protocol (AJP)	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.0.1.4.0
CVE-2020-9546	Oracle Communications Instant Messaging Server	Presence API (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.0.1.4.0
CVE-2019-13990	Oracle Communications IP Service Activator	Netwok Processor Configuration Management (Terracotta Quartz Scheduler)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	7.3.0, 7.4.0
CVE-2020-11656	Oracle Communications Network Charging and Control	Data Access Pack (SQLite)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	6.0.1, 12.0.0-12.0.3
CVE-2019-2729	Oracle Communications Network Integrity	Integration (Oracle WebLogic Server)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	7.3.2-7.3.6
CVE-2019-2904	Oracle Communications Network Integrity	User Interface (Application Development Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	7.3.2-7.3.6
CVE-2017-5645	Oracle Communications Network Integrity	Cartridge Management (Log4j)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	7.3.2-7.3.6
CVE-2020-7060	Oracle Communications Diameter Signaling Router (DSR)	Platform (PHP)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	None	High	8.0-8.4
CVE-2020-1945	Oracle Communications MetaSolv Solution	Online Help (Apache Ant)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	6.3.0
CVE-2018-1258	Oracle Communications Network Integrity	Core (Spring Framework)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	7.3.2-7.3.6
CVE-2020-9546	Oracle Communications Network Charging and Control	Installer (jackson-databind)	None	No	8.4	Local	Low	None	None	Un- changed	High	High	High	6.0.1, 12.0.0-12.0.3
CVE-2020-14580	Oracle Communications Session Border Controller	System Admin	SSH	No	8.2	Network	Low	Low	Required	Changed	High	Low	Low	8.1.0, 8.2.0, 8.3.0
CVE-2016-1181	Oracle Communications Network Integrity	MSS Integration Cartridge (Apache Struts 1)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	7.3.2-7.3.6
CVE-2017-0861	Oracle Communications LSMS	Kernel	None	No	7.8	Local	Low	Low	None	Un- changed	High	High	High	13.0-13.3
CVE-2020-1945	Oracle Communications Order and Service Management	Installer (Apache Ant)	None	No	7.7	Local	Low	None	None	Un- changed	High	High	None	7.3, 7.4
CVE-2020-5398	Oracle Communications BRM - Elastic Charging Engine	Orchestration (Spring Framework)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	11.3, 12.0
CVE-2019-17359	Oracle Communications Convergence	S/MIME Configuration (Bouncy Castle Java Library)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	3.0.1.0-3.0.2.1
CVE-2020-5398	Oracle Communications Element Manager	Core (Spring Framework)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	8.1.1, 8.2.0, 8.2.1
CVE-2019-0227	Oracle Communications Network Integrity	Adapters (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	7.3.5, 7.3.6
CVE-2019-16056	Oracle Communications Operations Monitor	VSP implementing webserver (Python)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	3.4, 4.1-4.3
CVE-2019-0227	Oracle Communications Order and Service Management	Installer, CMWS, CMT (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	7.3, 7.4
CVE-2020-5398	Oracle Communications Session Report Manager	Core (Spring Framework)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	8.1.1, 8.2.0, 8.2.1
CVE-2020-5398	Oracle Communications Session Route Manager	Core (Spring Framework)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	8.1.1, 8.2.0, 8.2.1
CVE-2020-14630	Oracle Enterprise Session Border Controller	File Upload	HTTP	No	7.5	Network	Low	High	Required	Changed	Low	Low	High	8.1.0, 8.2.0, 8.3.0
CVE-2019-10193	Oracle Communications Operations Monitor	FDP, VSP Login, Packet Inspector (Redis)	HTTP	No	7.2	Network	Low	High	None	Un- changed	High	High	High	3.4, 4.1
CVE-2019-12423	Oracle Communications Element Manager	REST API (Apache CXF)	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	8.1.1, 8.2.0, 8.2.1
CVE-2019-12423	Oracle Communications Session Report Manager	REST API (Apache CXF)	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	8.1.1, 8.2.0, 8.2.1
CVE-2019-12423	Oracle Communications Session Route Manager	REST API (Apache CXF)	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	8.1.1, 8.2.0, 8.2.1
CVE-2020-14721	Oracle Enterprise Communications Broker	WebGUI	HTTP	No	6.3	Network	Low	Low	None	Un- changed	Low	Low	Low	3.0.0-3.2.0
CVE-2020-11022	Oracle Communications Analytics	Platform (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.1.1
CVE-2020-11022	Oracle Communications Element Manager	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.1.1, 8.2.0, 8.2.1
CVE-2020-1941	Oracle Communications Element Manager	Workorders (Apache ActiveMQ)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.1.1, 8.2.0, 8.2.1
CVE-2020-11022	Oracle Communications Interactive Session Recorder	Dashboard (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	6.1-6.4
CVE-2019-17091	Oracle Communications Network Integrity	Core (Eclipse Mojarra)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	7.3.5, 7.3.6
CVE-2020-11022	Oracle Communications Operations Monitor	Mediation Engine, Dashboard, Grapahs, Calls (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	3.4, 4.1-4.3
CVE-2020-11022	Oracle Communications Session Report Manager	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.1.1, 8.2.0, 8.2.1
CVE-2020-1941	Oracle Communications Session Report Manager	Workorders (Apache ActiveMQ)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.1.1, 8.2.0, 8.2.1
CVE-2020-11022	Oracle Communications Session Route Manager	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.1.1, 8.2.0, 8.2.1
CVE-2020-1941	Oracle Communications Session Route Manager	Workorders (Apache ActiveMQ)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.1.1, 8.2.0, 8.2.1
CVE-2020-14563	Oracle Enterprise Communications Broker	WebGUI	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	3.0.0-3.2.0
CVE-2020-14722	Oracle Enterprise Communications Broker	WebGUI	HTTP	Yes	5.8	Network	High	None	Required	Changed	Low	Low	Low	3.0.0-3.2.0
CVE-2018-3639	Oracle Communications LSMS	Kernel	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	13.0-13.3
CVE-2020-1951	Oracle Communications Messaging Server	Security (Apache Tika)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	8.0.2, 8.1.0
CVE-2019-10247	Oracle Communications Analytics	Platform (Eclipse Jetty)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.1.1
CVE-2020-1934	Oracle Communications Element Manager	Core (Apache HTTP Server)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.1.1, 8.2.0, 8.2.1
CVE-2019-10247	Oracle Communications Services Gatekeeper	Platform Test Environment (Eclipse Jetty)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	6.0, 6.1, 7.0
CVE-2020-1934	Oracle Communications Session Report Manager	Core (Apache HTTP Server)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.1.1, 8.2.0, 8.2.1
CVE-2020-1934	Oracle Communications Session Route Manager	Core (Apache HTTP Server)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.1.1, 8.2.0, 8.2.1
CVE-2020-14574	Oracle Communications Interactive Session Recorder	FACE	None	No	4.7	Local	High	High	None	Un- changed	High	Low	None	6.1-6.4
CVE-2020-9488	Oracle Communications Instant Messaging Server	Installation (Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	10.0.1.4.0
CVE-2020-9488	Oracle Communications Interactive Session Recorder	API, FACE, Archiver (Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	6.1-6.4
CVE-2020-9488	Oracle Communications Network Charging and Control	Notification Gateway (Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	6.0.1, 12.0.0-12.0.3

Additional CVEs addressed are below:

The patch for CVE-2016-1181 also addresses CVE-2016-1182.
The patch for CVE-2017-0861 also addresses CVE-2017-15265, CVE-2018-1000004, CVE-2018-10901, CVE-2018-3620, CVE-2018-3646, CVE-2018-3693, CVE-2018-5390 and CVE-2018-7566.
The patch for CVE-2017-5645 also addresses CVE-2020-9488.
The patch for CVE-2018-11058 also addresses CVE-2016-0701, CVE-2016-2183, CVE-2016-6306, CVE-2016-8610, CVE-2018-11054, CVE-2018-11055, CVE-2018-11056, CVE-2018-11057 and CVE-2018-15769.
The patch for CVE-2018-1258 also addresses CVE-2018-11039, CVE-2018-11040 and CVE-2018-1257.
The patch for CVE-2018-3639 also addresses CVE-2018-10675, CVE-2018-10872 and CVE-2018-3665.
The patch for CVE-2019-0227 also addresses CVE-2018-8032.
The patch for CVE-2019-10193 also addresses CVE-2019-10192.
The patch for CVE-2019-10247 also addresses CVE-2019-10246.
The patch for CVE-2019-12423 also addresses CVE-2019-17573.
The patch for CVE-2019-13990 also addresses CVE-2019-5427.
The patch for CVE-2019-16056 also addresses CVE-2019-16935.
The patch for CVE-2019-16943 also addresses CVE-2019-16942 and CVE-2019-17531.
The patch for CVE-2019-2729 also addresses CVE-2019-2725.
The patch for CVE-2019-2904 also addresses CVE-2019-2094.
The patch for CVE-2020-11022 also addresses CVE-2019-11358 and CVE-2020-11023.
The patch for CVE-2020-11656 also addresses CVE-2020-11655, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13632 and CVE-2020-9327.
The patch for CVE-2020-1934 also addresses CVE-2020-1927.
The patch for CVE-2020-1938 also addresses CVE-2019-17569 and CVE-2020-1935.
The patch for CVE-2020-1951 also addresses CVE-2020-1950.
The patch for CVE-2020-5398 also addresses CVE-2020-5397.
The patch for CVE-2020-7060 also addresses CVE-2020-7059.
The patch for CVE-2020-9546 also addresses CVE-2020-10650, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-11619, CVE-2020-11620, CVE-2020-9547 and CVE-2020-9548.

Oracle Construction and Engineering Risk Matrix

This Critical Patch Update contains 20 new security patches for Oracle Construction and Engineering. 15 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-5645	Primavera Gateway	Admin (Apache Ant)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	16.2.0-16.2.11, 17.12.0-17.12.7
CVE-2020-10683	Primavera P6 Enterprise Project Portfolio Management	Web Access (dom4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	16.1.0.0-16.2.20.1, 17.1.0.0-17.12.17.1, 18.1.0.0-18.8.19, 19.12.0-19.12.6
CVE-2020-9546	Primavera Unifier	Platform (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	16.1, 16.2, 17.7-17.12, 18.8, 19.12
CVE-2020-1945	Primavera Unifier	Core (Apache Ant)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	16.1, 16.2, 17.7-17.12, 18.8, 19.12
CVE-2018-17196	Primavera P6 Enterprise Project Portfolio Management	Web Access (kafka client)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	19.12.0-19.12.6
CVE-2020-9484	Instantis EnterpriseTrack	Core (Apache Tomcat)	None	No	7.0	Local	High	Low	None	Un- changed	High	High	High	17.1-17.3
CVE-2020-11022	Primavera Gateway	Admin (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	16.2.0-16.2.11, 17.12.0-17.12.7, 18.8.0-18.8.9, 19.12.0-19.12.4
CVE-2020-2562	Primavera Portfolio Management	Investor Module	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	16.1.0.0-16.1.5.1, 18.0.0.0-18.0.2.0, 19.0.0.0
CVE-2020-14528	Primavera Portfolio Management	Web Access	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	16.1.0.0-16.1.5.1, 18.0.0.0-18.0.2.0, 19.0.0.0
CVE-2020-14706	Primavera P6 Enterprise Project Portfolio Management	Web Access	HTTP	Yes	5.9	Network	High	None	Required	Un- changed	High	Low	None	17.1.0.0-17.12.17.1, 18.1.0.0-18.8.19, 19.12.0-19.12.5
CVE-2020-14527	Primavera Portfolio Management	Web Access	HTTP	Yes	5.9	Network	High	None	Required	Un- changed	High	Low	None	16.1.0.0-16.1.5.1, 18.0.0.0-18.0.2.0, 19.0.0.0
CVE-2020-14549	Primavera Portfolio Management	Web Server	HTTPS	Yes	5.9	Network	High	None	Required	Un- changed	High	Low	None	16.1.0.0-16.1.5.1, 18.0.0.0-18.0.2.0, 19.0.0.0
CVE-2020-14618	Primavera Unifier	Mobile App	HTTPS	Yes	5.9	Network	High	None	Required	Un- changed	High	Low	None	Prior to 20.6
CVE-2020-14617	Primavera Unifier	Platform, Mobile App	HTTPS	No	5.7	Network	Low	Low	Required	Un- changed	High	None	None	16.1, 16.2, 17.7-17.12, 18.8, 19.12; Mobile App: Prior to 20.6
CVE-2020-14653	Primavera P6 Enterprise Project Portfolio Management	Web Access	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	16.1.0.0-16.2.20.1, 17.1.0.0-17.12.17.1, 18.1.0.0-18.8.18.2
CVE-2020-14529	Primavera Portfolio Management	Investor Module	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	16.1.0.0-16.1.5.1, 18.0.0.0-18.0.2.0, 19.0.0.0
CVE-2020-1934	Instantis EnterpriseTrack	Core (Apache HTTP Server)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	17.1-17.3
CVE-2020-14566	Primavera Portfolio Management	Web Access	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	None	Low	None	16.1.0.0-16.1.5.1, 18.0.0.0-18.0.2.0, 19.0.0.0
CVE-2020-9488	Instantis EnterpriseTrack	Logging (Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	17.1-17.3
CVE-2020-9488	Primavera Gateway	Admin (Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	16.2.0-16.2.11, 17.12.0-17.12.7, 18.8.0-18.8.9, 19.12.0-19.12.4

Additional CVEs addressed are below:

The patch for CVE-2017-5645 also addresses CVE-2020-1945.
The patch for CVE-2018-17196 also addresses CVE-2017-12610 and CVE-2018-1288.
The patch for CVE-2020-10683 also addresses CVE-2018-1000632.
The patch for CVE-2020-11022 also addresses CVE-2020-11023.
The patch for CVE-2020-1934 also addresses CVE-2020-1927.
The patch for CVE-2020-9484 also addresses CVE-2019-17569, CVE-2020-1935 and CVE-2020-1938.
The patch for CVE-2020-9546 also addresses CVE-2020-10650, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-11619, CVE-2020-11620, CVE-2020-9547 and CVE-2020-9548.

Oracle E-Business Suite Risk Matrix

This Critical Patch Update contains 30 new security patches for the Oracle E-Business Suite. 24 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security updates are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle recommends that customers apply the July 2020 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Release 12 Critical Patch Update Knowledge Document (July 2020), My Oracle Support Note 2679563.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-14598	Oracle CRM Gateway for Mobile Devices	Setup of Mobile Applications	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	12.1.1-12.1.3
CVE-2020-14599	Oracle CRM Gateway for Mobile Devices	Setup of Mobile Applications	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	12.1.1-12.1.3
CVE-2020-14658	Oracle Marketing	Marketing Administration	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-14665	Oracle Trade Management	Invoice	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-14670	Oracle Advanced Outbound Telephony	Settings	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-14671	Oracle Advanced Outbound Telephony	User Interface	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-14534	Oracle Applications Framework	Popups	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.2.9
CVE-2020-14688	Oracle Common Applications	CRM User Management Framework	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.3, 12.2.3-12.2.9
CVE-2020-14660	Oracle CRM Technical Foundation	Preferences	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.3, 12.2.3-12.2.9
CVE-2020-14682	Oracle Depot Repair	Estimate and Actual Charges	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-14668	Oracle E-Business Intelligence	DBI Setups	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-14681	Oracle E-Business Intelligence	DBI Setups	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-14666	Oracle Email Center	Message Display	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-14596	Oracle iStore	Address Book	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3
CVE-2020-14582	Oracle iStore	User Registration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-14686	Oracle iSupport	Others	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-14719	Oracle Internet Expenses	Mobile Expenses Admin Utilities	HTTP	No	7.7	Network	Low	Low	None	Changed	None	High	None	12.2.4-12.2.9
CVE-2020-14720	Oracle Internet Expenses	Mobile Expenses Admin Utilities	HTTP	No	7.7	Network	Low	Low	None	Changed	High	None	None	12.2.4-12.2.9
CVE-2020-14610	Oracle Applications Framework	Attachments / File Upload	HTTP	No	7.6	Network	Low	Low	Required	Changed	High	Low	None	12.2.9
CVE-2020-14657	Oracle CRM Technical Foundation	Preferences	HTTP	No	7.6	Network	Low	Low	Required	Changed	High	Low	None	12.1.3, 12.2.3-12.2.9
CVE-2020-14667	Oracle CRM Technical Foundation	Preferences	HTTP	No	7.6	Network	Low	Low	Required	Changed	High	Low	None	12.1.3, 12.2.3-12.2.9
CVE-2020-14679	Oracle CRM Technical Foundation	Preferences	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.1.3, 12.2.3-12.2.9
CVE-2020-14635	Oracle Application Object Library	Logging	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.2.5-12.2.9
CVE-2020-14554	Oracle Application Object Library	Diagnostics	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.3, 12.2.3-12.2.8
CVE-2020-14716	Oracle Common Applications	CRM User Management Framework	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.3, 12.2.3-12.2.9
CVE-2020-14717	Oracle Common Applications	CRM User Management Framework	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.3, 12.2.3-12.2.9
CVE-2020-14659	Oracle CRM Technical Foundation	Preferences	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.3, 12.2.3-12.2.9
CVE-2020-14661	Oracle CRM Technical Foundation	Preferences	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.3, 12.2.3-12.2.9
CVE-2020-14555	Oracle Marketing	Marketing Administration	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2020-14590	Oracle Applications Framework	Page Request	HTTP	No	2.7	Network	Low	High	None	Un- changed	Low	None	None	12.1.3, 12.2.3-12.2.9

Oracle Enterprise Manager Risk Matrix

This Critical Patch Update contains 14 new security patches for Oracle Enterprise Manager. 10 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these patches are applicable to client-only installations, i.e., installations that do not have Oracle Enterprise Manager installed. The English text form of this Risk Matrix can be found here.

Oracle Enterprise Manager products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle Enterprise Manager products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security updates are not listed in the Oracle Enterprise Manager risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle Enterprise Manager products, Oracle recommends that customers apply the July 2020 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Enterprise Manager. For information on what patches need to be applied to your environments, refer to Critical Patch Update July 2020 Patch Availability Document for Oracle Products, My Oracle Support Note 2664876.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-9546	Enterprise Manager Base Platform	Enterprise Manager Install (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	13.3.0.0, 13.4.0.0
CVE-2017-5645	Oracle Application Testing Suite	Load Testing for Web Apps (Log4j)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	13.3.0.1
CVE-2020-1945	Enterprise Manager Ops Center	Networking (Apache Ant)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	12.4.0.0
CVE-2019-0227	Enterprise Manager for Fusion Middleware	Coherence Management (Apache Axis)	HTTP	Yes	8.8	Adjacent Network	Low	None	None	Un- changed	High	High	High	12.1.0.5
CVE-2018-11776	Enterprise Manager Base Platform	Reporting Framework (Apache Struts 2)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	13.3.0.0, 13.4.0.0
CVE-2019-0227	Enterprise Manager Base Platform	Application Service Level Mgmt (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	12.1.0.5, 13.3.0.0
CVE-2020-7595	Oracle Real User Experience Insight	APM Mesh (libxml2)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	13.3.1.0
CVE-2020-2982	Enterprise Manager Base Platform	Enterprise Config Management	HTTP	No	7.1	Network	Low	Low	None	Un- changed	High	Low	None	13.3.0.0, 13.4.0.0
CVE-2020-2984	Oracle Configuration Manager	Discovery and collection script	HTTP	No	7.1	Network	Low	Low	None	Un- changed	High	Low	None	12.1.2.0.6
CVE-2020-2983	Oracle Data Masking and Subsetting	Data Masking	HTTP	No	7.1	Network	Low	Low	None	Un- changed	High	Low	None	13.3.0.0, 13.4.0.0
CVE-2019-17091	Oracle Application Testing Suite	Load Testing for Web Apps (Eclipse Mojarra)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	13.2.0.1, 13.3.0.1
CVE-2019-12415	Enterprise Manager Base Platform	Application Service Level Mgmt (Apache POI)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	12.1.0.5, 13.3.0.0, 13.4.0.0
CVE-2020-1934	Enterprise Manager Ops Center	Networking (Apache HTTP Server)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.4.0.0
CVE-2019-1551	Enterprise Manager Ops Center	Networking (OpenSSL)	HTTPS	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.4.0.0

Additional CVEs addressed are below:

The patch for CVE-2019-0227 also addresses CVE-2018-8032.
The patch for CVE-2019-12415 also addresses CVE-2017-12626.
The patch for CVE-2019-1551 also addresses CVE-2020-1967.
The patch for CVE-2020-1934 also addresses CVE-2019-0220, CVE-2019-10081, CVE-2019-10082, CVE-2019-10092, CVE-2019-10097 and CVE-2020-1927.
The patch for CVE-2020-1945 also addresses CVE-2017-5645.
The patch for CVE-2020-7595 also addresses CVE-2019-19956 and CVE-2019-20388.
The patch for CVE-2020-9546 also addresses CVE-2020-10650, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-11619, CVE-2020-11620, CVE-2020-9547 and CVE-2020-9548.

Oracle Financial Services Applications Risk Matrix

This Critical Patch Update contains 38 new security patches for Oracle Financial Services Applications. 26 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-13990	Oracle Banking Payments	Core (Terracotta Quartz Scheduler)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	14.1.0-14.4.0
CVE-2020-9546	Oracle Banking Platform	Framework (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	2.4.0-2.9.0
CVE-2019-2904	Oracle Financial Services Lending and Leasing	Core (Application Development Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.5.0, 14.1.0-14.2.0
CVE-2017-5645	Oracle Financial Services Lending and Leasing	Core (Log4j)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.5.0, 14.1.0-14.8.0
CVE-2017-15708	Oracle Financial Services Market Risk Measurement and Management	User Interface (Apache Synapse)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.6, 8.0.8
CVE-2019-13990	Oracle FLEXCUBE Investor Servicing	Infrastructure (Terracotta Quartz Scheduler)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0
CVE-2019-13990	Oracle FLEXCUBE Private Banking	Core (Terracotta Quartz Scheduler)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.0.0, 12.1.0
CVE-2019-11358	Oracle Insurance Accounting Analyzer	User Interface (jQuery)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.6-8.0.8
CVE-2020-1945	Oracle Financial Services Analytical Applications Infrastructure	Infrastructure (Apache Ant)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	8.0.6-8.1.0
CVE-2020-1945	Oracle FLEXCUBE Investor Servicing	Infrastructure (Apache Ant)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	12.1.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0
CVE-2020-1945	Oracle FLEXCUBE Private Banking	Utilities (Apache Ant)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	12.0.0, 12.1.0
CVE-2020-14569	Oracle FLEXCUBE Investor Servicing	Infrastructure	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	12.1.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0
CVE-2020-1945	Oracle Banking Enterprise Collections	Installer (Apache Ant)	None	No	7.7	Local	Low	None	None	Un- changed	High	High	None	2.7.0-2.9.0
CVE-2020-1945	Oracle Banking Platform	Installer (Apache Ant)	None	No	7.7	Local	Low	None	None	Un- changed	High	High	None	2.4.0-2.9.0
CVE-2019-0227	Oracle Financial Services Compliance Regulatory Reporting	Web Service to Regulatory Report (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	8.0.6-8.0.8
CVE-2019-12402	Oracle FLEXCUBE Investor Servicing	Infrastructure (Apache Commons Compress)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.1.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0
CVE-2019-12423	Oracle FLEXCUBE Private Banking	Core (Apache CXF)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.0.0, 12.1.0
CVE-2019-0188	Oracle FLEXCUBE Private Banking	Core (Apache Camel)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.0.0, 12.1.0
CVE-2019-17359	Oracle FLEXCUBE Private Banking	Core (Bouncy Castle Java Library)	TLS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.0.0, 12.1.0
CVE-2020-14602	Oracle Financial Services Analytical Applications Infrastructure	Infrastructure	HTTP	No	7.1	Network	Low	Low	None	Un- changed	Low	High	None	8.0.6-8.1.0
CVE-2020-14691	Oracle Financial Services Liquidity Risk Management	User Interface	HTTP	No	7.1	Network	Low	Low	None	Un- changed	Low	High	None	8.0.6
CVE-2020-14605	Oracle Financial Services Analytical Applications Infrastructure	Infrastructure	HTTP	No	6.5	Network	Low	Low	None	Un- changed	None	High	None	8.0.6-8.1.0
CVE-2020-14685	Oracle Financial Services Analytical Applications Infrastructure	Infrastructure	HTTP	No	6.5	Network	Low	Low	None	Un- changed	None	High	None	8.0.6-8.1.0
CVE-2020-14692	Oracle Financial Services Loan Loss Forecasting and Provisioning	User Interface	HTTP	No	6.5	Network	Low	Low	None	Un- changed	None	High	None	8.0.6-8.0.8
CVE-2020-14693	Oracle Insurance Accounting Analyzer	User Interface	HTTP	No	6.5	Network	Low	Low	None	Un- changed	None	High	None	8.0.6-8.0.9
CVE-2020-14662	Oracle Financial Services Analytical Applications Infrastructure	Infrastructure	HTTP	No	6.3	Network	Low	Low	None	Un- changed	Low	Low	Low	8.0.6-8.1.0
CVE-2020-11022	Oracle Banking Enterprise Collections	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	2.7.0-2.8.0
CVE-2020-11022	Oracle Banking Platform	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	2.4.0-2.10.0
CVE-2020-14601	Oracle Financial Services Analytical Applications Infrastructure	Infrastructure	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.6-8.1.0
CVE-2020-14615	Oracle Financial Services Analytical Applications Infrastructure	Infrastructure	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.6-8.1.0
CVE-2020-11022	Oracle Financial Services Regulatory Reporting for De Nederlandsche Bank	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.4
CVE-2019-12415	Oracle Banking Payments	Core (Apache POI)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	14.1.0-14.4.0
CVE-2019-12415	Oracle FLEXCUBE Private Banking	Core (Apache POI)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	12.0.0, 12.1.0
CVE-2020-14603	Oracle Financial Services Analytical Applications Infrastructure	Infrastructure	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.0.6-8.1.0
CVE-2020-14604	Oracle Financial Services Analytical Applications Infrastructure	Infrastructure	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.0.6-8.1.0
CVE-2020-14684	Oracle Financial Services Analytical Applications Infrastructure	Infrastructure	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	None	Low	None	8.0.6-8.1.0
CVE-2020-9488	Oracle Banking Platform	Collections (Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	2.4.0-2.10.0
CVE-2020-9488	Oracle FLEXCUBE Investor Servicing	Infrastructure (Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	12.1.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0

Additional CVEs addressed are below:

The patch for CVE-2017-5645 also addresses CVE-2020-9488.
The patch for CVE-2019-0227 also addresses CVE-2018-8032.
The patch for CVE-2019-12423 also addresses CVE-2019-17573.
The patch for CVE-2019-13990 also addresses CVE-2019-12402 and CVE-2019-5427.
The patch for CVE-2020-11022 also addresses CVE-2020-11023.
The patch for CVE-2020-1945 also addresses CVE-2017-5645.
The patch for CVE-2020-9546 also addresses CVE-2020-10650, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-11619, CVE-2020-11620, CVE-2020-9547 and CVE-2020-9548.

Oracle Food and Beverage Applications Risk Matrix

This Critical Patch Update contains 4 new security patches for Oracle Food and Beverage Applications. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-14543	Oracle Hospitality Reporting and Analytics	Installation	None	No	7.3	Local	Low	Low	Required	Un- changed	High	High	High	9.1.0
CVE-2020-14561	Oracle Hospitality Reporting and Analytics	Installation	None	No	7.3	Local	Low	Low	Required	Un- changed	High	High	High	9.1.0
CVE-2020-14594	Oracle Hospitality Reporting and Analytics	Inventory Integration	None	No	6.5	Local	Low	High	Required	Un- changed	High	High	High	9.1.0
CVE-2020-14616	Oracle Hospitality Reporting and Analytics	Reporting	HTTP	No	2.7	Network	Low	High	None	Un- changed	Low	None	None	9.1.0

Oracle Fusion Middleware Risk Matrix

This Critical Patch Update contains 52 new security patches for Oracle Fusion Middleware. 48 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security updates are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle recommends that customers apply the Critical Patch Update July 2020 to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update July 2020 Patch Availability Document for Oracle Products, My Oracle Support Note 2664876.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-5645	Oracle Endeca Information Discovery Studio	Studio (Apache Ant)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	3.2.0
CVE-2019-17531	Oracle WebCenter Portal	Security Framework (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.3.0, 12.2.1.4.0
CVE-2020-9546	Oracle WebLogic Server	Centralized Thirdparty Jars (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.3.0, 12.2.1.4.0
CVE-2018-11058	Oracle WebLogic Server	Security Service (RSA BSAFE)	HTTPS	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-14625	Oracle WebLogic Server	Core	IIOP, T3	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2020-14644	Oracle WebLogic Server	Core	IIOP, T3	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2020-14645	Oracle WebLogic Server	Core	IIOP, T3	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2020-14687	Oracle WebLogic Server	Core	IIOP, T3	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2017-5645	Oracle WebLogic Server	Centralized Thirdparty Jars (Log4j)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2017-5645	Oracle WebLogic Server	Console (Log4j)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2020-1945	Oracle Endeca Information Discovery Studio	Studio (Apache Ant)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	3.2.0
CVE-2020-1945	Oracle Enterprise Repository	Security Subsystem (Apache Ant)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	11.1.1.7.0
CVE-2020-8112	Oracle Outside In Technology	Installation (OpenJPEG)	HTTP	Yes	8.8	Network	Low	None	Required	Un- changed	High	High	High	8.5.5, 8.5.4	See Note 1
CVE-2020-14609	Oracle Business Intelligence Enterprise Edition	Analytics Web Answers	HTTP	Yes	8.6	Network	Low	None	None	Un- changed	High	Low	Low	5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-14611	Oracle WebCenter Portal	Composer	HTTP	Yes	8.6	Network	Low	None	None	Un- changed	Low	High	Low	12.2.1.3.0, 12.2.1.4.0
CVE-2020-14584	Oracle BI Publisher	BI Publisher Security	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.2.1.3.0, 12.2.1.4.0
CVE-2020-14585	Oracle BI Publisher	Mobile Service	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-14690	Oracle Business Intelligence Enterprise Edition	Analytics Actions	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-14608	Oracle Fusion Middleware MapViewer	Tile Server	HTTP	Yes	8.2	Network	Low	None	None	Un- changed	Low	High	None	12.2.1.3.0
CVE-2020-14723	Oracle Help Technologies	Web UIX	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	11.1.1.9.0, 12.2.1.3.0
CVE-2020-14588	Oracle WebLogic Server	Web Container	HTTP	Yes	8.2	Network	Low	None	None	Un- changed	Low	High	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2020-14626	Oracle Business Intelligence Enterprise Edition	Analytics Web General	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-14565	Oracle Unified Directory	Security	HTTP	No	8.1	Network	Low	High	Required	Changed	None	High	High	11.1.2.3.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2019-17359	Oracle Business Process Management Suite	Runtime Engine (Bouncy Castle Java Library)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.2.1.3.0, 12.2.1.4.0
CVE-2020-14642	Oracle Coherence	CacheStore	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2019-0227	Oracle WebCenter Portal	WebCenter Spaces Application (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	12.2.1.3.0
CVE-2020-14639	Oracle WebLogic Server	Sample apps	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2020-5398	Oracle WebLogic Server	Sample apps (Spring Framework)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	12.2.1.3.0, 12.2.1.4.0
CVE-2020-14589	Oracle WebLogic Server	Web Container	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2020-2967	Oracle WebLogic Server	Web Services	IIOP, T3	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2020-14696	Oracle BI Publisher	Layout Templates	HTTP	Yes	7.2	Network	Low	None	None	Changed	Low	Low	None	11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-14571	Oracle BI Publisher	Mobile Service	HTTP	Yes	7.2	Network	Low	None	None	Changed	Low	Low	None	11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-14570	Oracle BI Publisher	Mobile Service	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	High	Low	None	11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-14552	Oracle WebCenter Portal	Security Framework	HTTP	No	6.8	Network	Low	Low	Required	Changed	High	None	None	11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-14557	Oracle WebLogic Server	Web Container	HTTP	Yes	6.8	Network	High	None	Required	Un- changed	High	High	None	12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2020-14655	Oracle Security Service	SSL API	HTTPS	Yes	6.5	Network	High	None	None	Un- changed	High	Low	None	11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-14652	Oracle WebLogic Server	Core	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	Low	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2019-14862	Oracle Business Intelligence Enterprise Edition	BI Platform Security (Knockout)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.2.1.3.0, 12.2.1.4.0
CVE-2020-1941	Oracle Enterprise Repository	Security Subsystem (Apache ActiveMQ)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.1.1.7.0
CVE-2020-14607	Oracle Fusion Middleware MapViewer	Tile Server	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.2.1.3.0, 12.2.1.4.0
CVE-2020-14613	Oracle WebCenter Sites	Advanced User Interface	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.2.1.3.0, 12.2.1.4.0
CVE-2020-14572	Oracle WebLogic Server	Console	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-14636	Oracle WebLogic Server	Sample apps	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2020-14637	Oracle WebLogic Server	Sample apps	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2020-14638	Oracle WebLogic Server	Sample apps	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2020-14640	Oracle WebLogic Server	Sample apps	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2020-14530	Oracle Security Service	None	HTTPS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	11.1.1.9.0
CVE-2019-12415	Oracle WebCenter Portal	Security Framework (Apache POI)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	12.2.1.3.0, 12.2.1.4.0
CVE-2020-2966	Oracle WebLogic Server	Console	HTTP	Yes	5.4	Network	Low	None	Required	Un- changed	Low	Low	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-14622	Oracle WebLogic Server	Core	HTTP	No	4.9	Network	Low	High	None	Un- changed	High	None	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2020-9488	Oracle Fusion Middleware MapViewer	Install (Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	12.2.1.3.0, 12.2.1.4.0
CVE-2020-14548	Oracle Business Intelligence Enterprise Edition	Analytics Web General	HTTP	Yes	3.4	Network	High	None	Required	Changed	Low	None	None	12.2.1.3.0, 12.2.1.4.0

Notes:

Outside In Technology is a suite of software development kits (SDKs). The protocol and CVSS score depend on the software that uses the Outside In Technology code. The CVSS score assumes that the software passes data received over a network directly to Outside In Technology code, but if data is not received over a network the CVSS score may be lower.

Additional CVEs addressed are below:

The patch for CVE-2017-5645 also addresses CVE-2019-17571.
The patch for CVE-2019-0227 also addresses CVE-2018-8032.
The patch for CVE-2019-17531 also addresses CVE-2019-16943, CVE-2019-17267, CVE-2019-20330 and CVE-2020-9546.
The patch for CVE-2020-1945 also addresses CVE-2017-5645.
The patch for CVE-2020-5398 also addresses CVE-2020-5397.
The patch for CVE-2020-8112 also addresses CVE-2018-6616, CVE-2019-12973 and CVE-2020-6851.
The patch for CVE-2020-9546 also addresses CVE-2020-10650, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-11619, CVE-2020-11620, CVE-2020-9547 and CVE-2020-9548.

Oracle GraalVM Risk Matrix

This Critical Patch Update contains 4 new security patches for Oracle GraalVM. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-17560	Oracle GraalVM Enterprise Edition	GraalVM Compiler (Apache NetBeans)	HTTPS	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	19.3.2, 20.1.0
CVE-2020-14583	Oracle GraalVM Enterprise Edition	Java	Multiple	Yes	8.3	Network	High	None	Required	Changed	High	High	High	19.3.2, 20.1.0
CVE-2020-11080	Oracle GraalVM Enterprise Edition	JavaScript (Node.js)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	19.3.2, 20.1.0
CVE-2020-14718	Oracle GraalVM Enterprise Edition	JVMCI	Multiple	No	7.2	Network	Low	High	None	Un- changed	High	High	High	19.3.2, 20.1.0

Additional CVEs addressed are below:

The patch for CVE-2019-17560 also addresses CVE-2019-17561.
The patch for CVE-2020-11080 also addresses CVE-2020-8172.

Oracle Health Sciences Applications Risk Matrix

This Critical Patch Update contains 4 new security patches for Oracle Health Sciences Applications. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-1938	Oracle Health Sciences Empirica Inspections	Web server (Apache Tomcat)	Apache JServ Protocol (AJP)	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	1.0.1.2
CVE-2020-1938	Oracle Health Sciences Empirica Signal	Web server (Apache Tomcat)	Apache JServ Protocol (AJP)	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	7.3.3
CVE-2020-5398	Oracle Healthcare Master Person Index	Master Data Management (Spring Framework)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	4.0.2
CVE-2020-11022	Oracle Healthcare Translational Research	Cohort Explorer (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	3.2.1, 3.3.1, 3.3.2, 3.4.0

Additional CVEs addressed are below:

The patch for CVE-2020-11022 also addresses CVE-2020-11023.
The patch for CVE-2020-1938 also addresses CVE-2019-17569 and CVE-2020-1935.
The patch for CVE-2020-5398 also addresses CVE-2020-5397.

Oracle Hospitality Applications Risk Matrix

This Critical Patch Update contains 1 new security patch for Oracle Hospitality Applications. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-1938	Oracle Hospitality Guest Access	Base (Apache Tomcat)	Apache JServ Protocol (AJP)	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	4.2.0, 4.2.1

Additional CVEs addressed are below:

The patch for CVE-2020-1938 also addresses CVE-2019-17569 and CVE-2020-1935.

Oracle Hyperion Risk Matrix

This Critical Patch Update contains 3 new security patches for Oracle Hyperion. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-14546	Hyperion Financial Close Management	Close Manager	HTTP	No	4.2	Network	High	High	Required	Un- changed	None	High	None	11.1.2.4
CVE-2020-14560	Oracle Hyperion BI+	UI and Visualization	HTTP	No	4.2	Network	High	High	Required	Un- changed	High	None	None	11.1.2.4
CVE-2020-14541	Hyperion Financial Close Management	Close Manager	HTTP	No	2.0	Network	High	High	Required	Un- changed	None	Low	None	11.1.2.4

Oracle iLearning Risk Matrix

This Critical Patch Update contains 1 new security patch for Oracle iLearning. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-14595	Oracle iLearning	Assessment Manager	HTTP	Yes	8.2	Network	Low	None	None	Un- changed	High	None	Low	6.1, 6.1.1

Oracle Insurance Applications Risk Matrix

This Critical Patch Update contains 6 new security patches for Oracle Insurance Applications. 4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-12626	Oracle Insurance Policy Administration J2EE	Architecture (Apache POI)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	10.2.0, 10.2.4
CVE-2020-5398	Oracle Insurance Policy Administration J2EE	Architecture (Spring Framework)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	10.2.0, 10.2.4, 11.0.2, 11.1.0, 11.2.0
CVE-2020-5398	Oracle Insurance Rules Palette	Architecture (Spring Framework)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	10.2.0, 10.2.4, 11.0.2, 11.1.0, 11.2.0
CVE-2019-12415	Oracle Insurance Policy Administration J2EE	Architecture (Apache POI)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	11.0.2, 11.1.0, 11.2.0
CVE-2019-12415	Oracle Insurance Rules Palette	Architecture (Apache POI)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	10.2.0, 10.2.4, 11.0.2, 11.1.0, 11.2.0
CVE-2020-9488	Oracle Insurance Data Gateway	Security (Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	1.0

Additional CVEs addressed are below:

The patch for CVE-2019-12415 also addresses CVE-2017-12626.
The patch for CVE-2020-5398 also addresses CVE-2018-15756 and CVE-2020-5397.

Oracle Java SE Risk Matrix

This Critical Patch Update contains 11 new security patches for Oracle Java SE. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-14664	Java SE	JavaFX	Multiple	Yes	8.3	Network	High	None	Required	Changed	High	High	High	Java SE: 8u251	See Note 1
CVE-2020-14583	Java SE, Java SE Embedded	Libraries	Multiple	Yes	8.3	Network	High	None	Required	Changed	High	High	High	Java SE: 7u261, 8u251, 11.0.7, 14.0.1; Java SE Embedded: 8u251	See Note 1
CVE-2020-14593	Java SE, Java SE Embedded	2D	Multiple	Yes	7.4	Network	Low	None	Required	Changed	None	High	None	Java SE: 7u261, 8u251, 11.0.7, 14.0.1; Java SE Embedded: 8u251	See Note 1
CVE-2020-14562	Java SE	ImageIO	Multiple	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	Java SE: 11.0.7, 14.0.1	See Note 1
CVE-2020-14621	Java SE, Java SE Embedded	JAXP	Multiple	Yes	5.3	Network	Low	None	None	Un- changed	None	Low	None	Java SE: 7u261, 8u251, 11.0.7, 14.0.1; Java SE Embedded: 8u251	See Note 2
CVE-2020-14556	Java SE, Java SE Embedded	Libraries	Multiple	Yes	4.8	Network	High	None	None	Un- changed	Low	Low	None	Java SE: 8u251, 11.0.7, 14.0.1; Java SE Embedded: 8u251	See Note 3
CVE-2020-14573	Java SE	Hotspot	Multiple	Yes	3.7	Network	High	None	None	Un- changed	None	Low	None	Java SE: 11.0.7, 14.0.1	See Note 3
CVE-2020-14581	Java SE, Java SE Embedded	2D	Multiple	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	Java SE: 8u251, 11.0.7, 14.0.1; Java SE Embedded: 8u251	See Note 3
CVE-2020-14578	Java SE, Java SE Embedded	Libraries	Multiple	Yes	3.7	Network	High	None	None	Un- changed	None	None	Low	Java SE: 7u261, 8u251; Java SE Embedded: 8u251	See Note 3
CVE-2020-14579	Java SE, Java SE Embedded	Libraries	Multiple	Yes	3.7	Network	High	None	None	Un- changed	None	None	Low	Java SE: 7u261, 8u251; Java SE Embedded: 8u251	See Note 3
CVE-2020-14577	Java SE, Java SE Embedded	JSSE	TLS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	Java SE: 7u261, 8u251, 11.0.7, 14.0.1; Java SE Embedded: 8u251	See Note 3

Notes:

This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service.
Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.

Oracle JD Edwards Risk Matrix

This Critical Patch Update contains 6 new security patches for Oracle JD Edwards. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-9546	JD Edwards EnterpriseOne Orchestrator	E1 IOT Orchestrator Security (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	Prior to 9.2.4.2
CVE-2020-9546	JD Edwards EnterpriseOne Tools	EnterpriseOne Mobility Sec (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	Prior to 9.2.4.2
CVE-2020-9546	JD Edwards EnterpriseOne Tools	Monitoring and Diagnostics (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	Prior to 9.2.4.2
CVE-2020-9546	JD Edwards EnterpriseOne Tools	Web Runtime (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	Prior to 9.2.4.2
CVE-2020-9488	JD Edwards EnterpriseOne Tools	Installation SEC (Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	Prior to 9.2.3.3
CVE-2020-9488	JD Edwards EnterpriseOne Tools	Monitoring and Diagnostics (Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	Prior to 9.2.3.3

Additional CVEs addressed are below:

The patch for CVE-2020-9546 also addresses CVE-2020-10650, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-11619, CVE-2020-11620, CVE-2020-9547 and CVE-2020-9548.

Oracle MySQL Risk Matrix

This Critical Patch Update contains 41 new security patches for Oracle MySQL. 6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-1938	MySQL Enterprise Monitor	Monitoring: General (Apache Tomcat)	Apache JServ Protocol (AJP)	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	4.0.12 and prior, 8.0.20 and prior
CVE-2020-1967	MySQL Connectors	Connector/C++ (OpenSSL)	TLS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.0.20 and prior
CVE-2020-1967	MySQL Connectors	Connector/ODBC (OpenSSL)	TLS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.0.20 and prior
CVE-2020-5398	MySQL Enterprise Monitor	Monitoring: General (Spring Framework)	HTTPS	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	4.0.12 and prior, 8.0.20 and prior
CVE-2020-1967	MySQL Server	Server: Security: Encryption (OpenSSL)	MySQL Protocol	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	5.6.48 and prior, 5.7.30 and prior, 8.0.20 and prior
CVE-2020-14663	MySQL Server	Server: Security: Privileges	MySQL Protocol	No	7.2	Network	Low	High	None	Un- changed	High	High	High	8.0.20 and prior
CVE-2020-14678	MySQL Server	Server: Security: Privileges	MySQL Protocol	No	7.2	Network	Low	High	None	Un- changed	High	High	High	8.0.20 and prior
CVE-2020-14697	MySQL Server	Server: Security: Privileges	MySQL Protocol	No	7.2	Network	Low	High	None	Un- changed	High	High	High	8.0.20 and prior
CVE-2020-14591	MySQL Server	Server: Audit Plug-in	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	8.0.20 and prior
CVE-2020-14539	MySQL Server	Server: Optimizer	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.6.48 and prior, 5.7.30 and prior, 8.0.20 and prior
CVE-2020-14680	MySQL Server	Server: Optimizer	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	8.0.20 and prior
CVE-2020-14619	MySQL Server	Server: Parser	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	8.0.20 and prior
CVE-2020-14576	MySQL Server	Server: UDF	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.7.30 and prior, 8.0.20 and prior
CVE-2020-14643	MySQL Server	Server: Security: Roles	MySQL Protocol	No	5.5	Network	Low	High	None	Un- changed	None	Low	High	8.0.20 and prior
CVE-2020-14651	MySQL Server	Server: Security: Roles	MySQL Protocol	No	5.5	Network	Low	High	None	Un- changed	None	Low	High	8.0.20 and prior
CVE-2020-14550	MySQL Client	C API	MySQL Protocol	No	5.3	Network	High	Low	None	Un- changed	None	None	High	5.6.48 and prior, 5.7.30 and prior, 8.0.20 and prior
CVE-2019-1551	MySQL Enterprise Monitor	Monitoring: General (OpenSSL)	HTTPS	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	4.0.12 and prior, 8.0.20 and prior
CVE-2020-14568	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.20 and prior
CVE-2020-14623	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.20 and prior
CVE-2020-14540	MySQL Server	Server: DML	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.30 and prior, 8.0.20 and prior
CVE-2020-14575	MySQL Server	Server: DML	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.20 and prior
CVE-2020-14620	MySQL Server	Server: DML	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.20 and prior
CVE-2020-14624	MySQL Server	Server: JSON	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.20 and prior
CVE-2020-14656	MySQL Server	Server: Locking	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.20 and prior
CVE-2020-14547	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.30 and prior, 8.0.20 and prior
CVE-2020-14597	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.20 and prior
CVE-2020-14614	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.20 and prior
CVE-2020-14654	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.20 and prior
CVE-2020-14725	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.20 and prior
CVE-2020-14632	MySQL Server	Server: Options	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.20 and prior
CVE-2020-14567	MySQL Server	Server: Replication	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.29 and prior, 8.0.19 and prior
CVE-2020-14631	MySQL Server	Server: Security: Audit	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.20 and prior
CVE-2020-14586	MySQL Server	Server: Security: Privileges	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.20 and prior
CVE-2020-14702	MySQL Server	Server: Security: Privileges	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.20 and prior
CVE-2020-14641	MySQL Server	Server: Security: Roles	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	High	None	None	8.0.20 and prior
CVE-2020-14559	MySQL Server	Server: Information Schema	MySQL Protocol	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	5.6.48 and prior, 5.7.30 and prior, 8.0.20 and prior
CVE-2020-14553	MySQL Server	Server: Pluggable Auth	MySQL Protocol	No	4.3	Network	Low	Low	None	Un- changed	None	Low	None	5.7.30 and prior, 8.0.20 and prior
CVE-2020-14633	MySQL Server	InnoDB	MySQL Protocol	No	2.7	Network	Low	High	None	Un- changed	None	Low	None	8.0.20 and prior
CVE-2020-14634	MySQL Server	InnoDB	MySQL Protocol	No	2.7	Network	Low	High	None	Un- changed	Low	None	None	8.0.20 and prior
CVE-2020-5258	MySQL Cluster	Cluster: Packaging (dojo)	Multiple	No	0.0	Network	Low	Low	Required	Un- changed	None	None	None	7.3.29 and prior, 7.4.28 and prior, 7.5.18 and prior, 7.6.14 and prior, 8.0.20 and prior	See Note 1
CVE-2020-1967	MySQL Enterprise Monitor	Monitoring: General (OpenSSL)	HTTPS	No	0.0	Network	Low	None	None	Un- changed	None	None	None	4.0.12 and prior, 8.0.20 and prior	See Note 2

Notes:

This CVE is not exploitable in MySQL Cluster. The CVSS v3.1 Base Score for this CVE in the National Vulnerability Database (NVD) is 7.5.
This CVE is not exploitable in MySQL Enterprise Monitor. The CVSS v3.1 Base Score for this CVE in the National Vulnerability Database (NVD) is 7.5.

Additional CVEs addressed are below:

The patch for CVE-2020-1938 also addresses CVE-2019-17569 and CVE-2020-1935.
The patch for CVE-2020-5398 also addresses CVE-2020-5397.

Oracle PeopleSoft Risk Matrix

This Critical Patch Update contains 11 new security patches for Oracle PeopleSoft. 9 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-17359	PeopleSoft Enterprise HCM Global Payroll Switzerland	Global Payroll for Switzerland (Bouncy Castle Java Library)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	9.2
CVE-2019-16056	PeopleSoft Enterprise PeopleTools	Porting (Python)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	8.57, 8.58
CVE-2019-11358	PeopleSoft Enterprise FIN Expenses	Expenses (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	9.2
CVE-2020-14627	PeopleSoft Enterprise PeopleTools	Query	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.56, 8.57, 8.58
CVE-2020-14592	PeopleSoft Enterprise PeopleTools	Rich Text Editor	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.56, 8.57, 8.58
CVE-2020-14587	PeopleSoft Enterprise FIN Expenses	Expenses	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	9.2
CVE-2020-14612	PeopleSoft Enterprise HRMS	Time and Labor	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	9.2
CVE-2020-14558	PeopleSoft Enterprise PeopleTools	Portal	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.56, 8.57, 8.58
CVE-2019-1551	PeopleSoft Enterprise PeopleTools	Security (OpenSSL)	HTTPS	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.56, 8.57, 8.58
CVE-2020-14600	PeopleSoft Enterprise PeopleTools	Portal	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	None	Low	None	8.56, 8.57, 8.58
CVE-2020-14564	PeopleSoft Enterprise PeopleTools	Environment Mgmt Console	HTTP	No	2.7	Network	Low	High	None	Un- changed	None	Low	None	8.56, 8.57, 8.58

Additional CVEs addressed are below:

The patch for CVE-2019-16056 also addresses CVE-2019-16935.

Oracle Retail Applications Risk Matrix

This Critical Patch Update contains 47 new security patches for Oracle Retail Applications. 42 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-13990	Customer Management and Segmentation Foundation	Segment (Terracotta Quartz Scheduler)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	18.0
CVE-2019-12086	Customer Management and Segmentation Foundation	Segment (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	18.0
CVE-2020-2555	Oracle Retail Assortment Planning	Application Core (Coherence)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	15.0, 16.0
CVE-2017-5645	Oracle Retail Extract Transform and Load	Mathematical Operators (Log4j)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	19.0
CVE-2020-1945	Oracle Retail Financial Integration	PeopleSoft Integration (Apache Ant)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	15.0, 16.0
CVE-2020-10683	Oracle Retail Integration Bus	RIB Kernal (dom4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	15.0, 16.0
CVE-2019-13990	Oracle Retail Integration Bus	RIB Kernal (Terracotta Quartz Scheduler)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	15.0, 16.0
CVE-2019-16943	Oracle Retail Merchandising System	Inventory Movement (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	15.0.3, 16.0.2, 16.0.3
CVE-2019-16943	Oracle Retail Sales Audit	Transaction Maintenance (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	14.1
CVE-2017-5645	Oracle Retail Service Backbone	Installer (Log4j)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	14.1, 15.0, 16.0
CVE-2019-13990	Oracle Retail Xstore Point of Service	Xenvironment (Terracotta Quartz Scheduler)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	15.0, 16.0, 17.0, 18.0, 19.0
CVE-2020-9546	Oracle Retail Xstore Point of Service	Xenvironment (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	15.0, 16.0, 17.0, 18.0, 19.0
CVE-2020-1945	Category Management Planning & Optimization	ODI Integration (Apache Ant)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	15.0.3
CVE-2020-1945	Oracle Retail Assortment Planning	Application Core (Apache Ant)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	15.0.3, 16.0.3
CVE-2020-1945	Oracle Retail Bulk Data Integration	BDI Job Scheduler (Apache Ant)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	15.0, 16.0
CVE-2020-1945	Oracle Retail Data Extractor for Merchandising	ODI Knowledge Module (Apache Ant)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	1.9, 1.10
CVE-2020-1945	Oracle Retail Item Planning	Application Core (Apache Ant)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	15.0.3
CVE-2020-1945	Oracle Retail Macro Space Optimization	ODI Integration (Apache Ant)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	15.0.3
CVE-2020-1945	Oracle Retail Merchandise Financial Planning	Application Core (Apache Ant)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	15.0.3
CVE-2020-1945	Oracle Retail Predictive Application Server	RPAS Server (Apache Ant)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	14.0.3, 14.1.3, 15.0.3, 16.0.3
CVE-2020-1945	Oracle Retail Regular Price Optimization	Operations & Maintenance (Apache Ant)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	15.0.3, 16.0.3
CVE-2020-1945	Oracle Retail Replenishment Optimization	Application Core (Apache Ant)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	15.0.3
CVE-2020-1945	Oracle Retail Service Backbone	Install (Apache Ant)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	15.0, 16.0
CVE-2020-1945	Oracle Retail Size Profile Optimization	Application Core (Apache Ant)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	15.0.3
CVE-2020-1945	Oracle Retail Store Inventory Management	SIM Integration (Apache Ant)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	14.0.4, 14.1.3, 15.0.3, 16.0.3
CVE-2015-9251	Oracle Retail Customer Management and Segmentation Foundation	Promotions (jQuery)	HTTP	No	8.0	Network	Low	Low	Required	Un- changed	High	High	High	18.0
CVE-2020-5398	Oracle Retail Assortment Planning	Application Core (Spring Framework)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	15.0, 16.0
CVE-2020-5398	Oracle Retail Financial Integration	PeopleSoft Integration (Spring Framework)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	15.0, 16.0
CVE-2017-12626	Oracle Retail Fusion Platform	Retail Portal Framework (Apache POI)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	5.5
CVE-2020-5398	Oracle Retail Integration Bus	RIB Kernal (Spring Framework)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	15.0.3, 16.0.3
CVE-2019-12423	Oracle Retail Order Broker	System Administration (Apache CXF)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	15.0
CVE-2020-5398	Oracle Retail Predictive Application Server	RPAS Server (Spring Framework)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	14.0.3, 14.1.3, 15.0.3, 16.0.3
CVE-2020-5398	Oracle Retail Service Backbone	RSB Installation (Spring Framework)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	15.0, 16.0
CVE-2019-10086	Customer Management and Segmentation Foundation	Promotions (Apache Commons-Beanutils)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	18.0
CVE-2020-14709	Customer Management and Segmentation Foundation	Card	HTTP	No	7.1	Network	Low	Low	None	Un- changed	Low	High	None	16.0, 17.0, 18.0
CVE-2019-3740	Oracle Retail Store Inventory Management	SIM Integration (BSAFE Crypto-J)	TLS	Yes	6.5	Network	Low	None	Required	Un- changed	High	None	None	14.0.4, 14.1.3, 15.0.3, 16.0.3
CVE-2019-17091	Oracle Retail Financial Integration	PeopleSoft Integration (Eclipse Mojarra)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	15.0, 16.0
CVE-2019-17091	Oracle Retail Integration Bus	RIB Kernal (Eclipse Mojarra)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	15.0, 16.0
CVE-2019-17091	Oracle Retail Invoice Matching	Pricing (Eclipse Mojarra)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	16.0
CVE-2019-17091	Oracle Retail Service Backbone	RSB kernel (Eclipse Mojarra)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	15.0, 16.0
CVE-2018-10237	Oracle Retail Integration Bus	Packaging (Google Guava)	HTTP	Yes	5.9	Network	High	None	None	Un- changed	None	None	High	15.0, 16.0
CVE-2020-14710	Customer Management and Segmentation Foundation	Security	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	16.0, 17.0, 18.0
CVE-2020-14708	Customer Management and Segmentation Foundation	Segment	HTTP	No	4.3	Network	Low	Low	None	Un- changed	None	Low	None	16.0, 17.0, 18.0
CVE-2018-15756	Oracle Retail Xstore Point of Service	Point of Sale (Spring Framework)	HTTP	No	4.3	Network	Low	High	Required	Un- changed	Low	Low	Low	7.1
CVE-2020-9488	Oracle Retail Data Extractor for Merchandising	Knowledge Module (Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	18.0
CVE-2020-9488	Oracle Retail Financial Integration	PeopleSoft Integration (Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	15.0, 16.0
CVE-2020-9488	Oracle Retail Store Inventory Management	SIM Integration (Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	14.0.4, 14.1.3, 15.0.3, 16.0.3

Additional CVEs addressed are below:

The patch for CVE-2015-9251 also addresses CVE-2020-11022.
The patch for CVE-2017-12626 also addresses CVE-2019-12415.
The patch for CVE-2018-15756 also addresses CVE-2018-11039, CVE-2018-11040, CVE-2018-1199, CVE-2018-1257, CVE-2018-1270, CVE-2018-1271, CVE-2018-1272 and CVE-2018-1275.
The patch for CVE-2019-12086 also addresses CVE-2019-14540, CVE-2019-16335, CVE-2019-16942, CVE-2019-16943, CVE-2019-17267, CVE-2019-17531 and CVE-2019-20330.
The patch for CVE-2019-12423 also addresses CVE-2019-17573.
The patch for CVE-2019-13990 also addresses CVE-2019-5427.
The patch for CVE-2019-16943 also addresses CVE-2019-16942 and CVE-2019-17531.
The patch for CVE-2019-3740 also addresses CVE-2019-3738 and CVE-2019-3739.
The patch for CVE-2020-1945 also addresses CVE-2017-5645.
The patch for CVE-2020-5398 also addresses CVE-2020-5397.
The patch for CVE-2020-9546 also addresses CVE-2019-16942, CVE-2019-16943, CVE-2019-17531, CVE-2020-10650, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-11619, CVE-2020-11620, CVE-2020-9547 and CVE-2020-9548.

Oracle Siebel CRM Risk Matrix

This Critical Patch Update contains 5 new security patches for Oracle Siebel CRM. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-16943	Siebel Engineering - Installer & Deployment	Siebel Approval Manager (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	2.20.5 and prior
CVE-2020-1938	Siebel UI Framework	EAI, SWSE (Apache Tomcat)	Apache JServ Protocol (AJP)	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	20.5 and prior
CVE-2019-16943	Siebel UI Framework	EAI (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	20.5 and prior
CVE-2020-14531	Siebel UI Framework	SWSE Server	HTTP	Yes	5.9	Network	High	None	Required	Un- changed	High	Low	None	20.6 and prior
CVE-2020-9488	Siebel Engineering - Installer & Deployment	Siebel Approval Manager (Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	2.20.5 and prior

Additional CVEs addressed are below:

The patch for CVE-2019-16943 also addresses CVE-2019-16942 and CVE-2019-17531.

Oracle Supply Chain Risk Matrix

This Critical Patch Update contains 22 new security patches for Oracle Supply Chain. 18 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-2729	Oracle Rapid Planning	Middle Tier	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1, 12.2
CVE-2020-2555	Oracle Rapid Planning	Middle Tier	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1, 12.2
CVE-2016-1000031	Oracle Rapid Planning	Middle Tier (Apache Commons FileUpload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1, 12.2
CVE-2016-5019	Oracle Rapid Planning	Middle Tier (Apache Trinidad)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1, 12.2
CVE-2020-10683	Oracle Rapid Planning	Middle Tier (dom4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1, 12.2
CVE-2016-4000	Oracle Rapid Planning	Middle Tier (jython)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1, 12.2
CVE-2017-5645	Oracle Rapid Planning	Middle Tier (Apache Ant)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1, 12.2
CVE-2017-5645	Oracle Rapid Planning	Middle Tier (Log4j)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1, 12.2
CVE-2019-17563	Oracle Transportation Management	Install (Apache Tomcat)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	6.3.7
CVE-2016-6814	Oracle Agile Engineering Data Management	Install (Apache Groovy)	HTTP	Yes	9.6	Network	Low	None	Required	Changed	High	High	High	6.2.1.0
CVE-2020-1945	Oracle Rapid Planning	Middle Tier (Apache Ant)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	12.1, 12.2
CVE-2015-7501	Oracle Rapid Planning	Middle Tier (Apache Commons Collections)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	12.1, 12.2
CVE-2020-14669	Oracle Configurator	UI Servlet	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1, 12.2
CVE-2019-0227	Oracle Agile Engineering Data Management	Install (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	6.2.1.0
CVE-2019-0227	Oracle Rapid Planning	Installation (Apache Axis)	HTTP	Yes	7.5	Adjacent Network	High	None	None	Un- changed	High	High	High	12.1, 12.2
CVE-2020-5398	Oracle Rapid Planning	Installation (Spring Framework)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	12.1, 12.2
CVE-2018-15756	Oracle Rapid Planning	Middle Tier (Spring Framework)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.1, 12.2
CVE-2018-8013	Oracle Rapid Planning	Middle Tier (Apache Batik)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	12.1, 12.2
CVE-2019-17091	Oracle Rapid Planning	Installation (Eclipse Mojarra)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.1, 12.2
CVE-2019-1547	Oracle Agile Engineering Data Management	Install (OpenSSL)	None	No	4.7	Local	High	Low	None	Un- changed	High	None	None	6.2.1.0
CVE-2020-14551	Oracle AutoVue	Security	HTTP	No	4.3	Network	Low	Low	None	Un- changed	None	Low	None	21.0
CVE-2020-14544	Oracle Transportation Management	Data, Domain & Function Security	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	6.4.3

Additional CVEs addressed are below:

The patch for CVE-2019-0227 also addresses CVE-2018-8032.
The patch for CVE-2019-1547 also addresses CVE-2019-1549, CVE-2019-1552 and CVE-2019-1563.
The patch for CVE-2019-17563 also addresses CVE-2019-17569, CVE-2020-1935 and CVE-2020-1938.
The patch for CVE-2019-2729 also addresses CVE-2019-2725.
The patch for CVE-2020-5398 also addresses CVE-2020-5397.

Oracle Systems Risk Matrix

This Critical Patch Update contains 7 new security patches for Oracle Systems. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-11656	Oracle ZFS Storage Appliance Kit	Operating System Image	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.8
CVE-2020-14724	Oracle Solaris	Device Driver Utility	None	No	7.3	Local	Low	Low	Required	Un- changed	High	High	High	11
CVE-2018-12207	Oracle Solaris	Kernel	None	No	6.5	Local	Low	Low	None	Changed	None	None	High	11	See Note 1
CVE-2020-14537	Oracle Solaris	Packaging Scripts	None	No	5.5	Local	Low	High	Required	Changed	None	None	High	11
CVE-2020-14545	Oracle Solaris	Device Driver Utility	None	No	5.0	Local	High	Low	Required	Un- changed	None	High	Low	11
CVE-2019-5489	Oracle Solaris	Kernel	Multiple	No	3.5	Network	High	Low	None	Changed	Low	None	None	11
CVE-2020-14542	Oracle Solaris	libsuri	None	No	3.3	Local	Low	Low	None	Un- changed	Low	None	None	11

Notes:

Please refer to My Oracle Support Note 2609642.1 for further information on how CVE-2018-12207 impacts Oracle Solaris.

Additional CVEs addressed are below:

The patch for CVE-2020-11656 also addresses CVE-2020-1927 and CVE-2020-1934.

Oracle Utilities Applications Risk Matrix

This Critical Patch Update contains 1 new security patch for Oracle Utilities Applications. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-12023	Oracle Utilities Framework	Common (jackson-databind)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	4.3.0.5.0, 4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0

Oracle Virtualization Risk Matrix

This Critical Patch Update contains 25 new security patches for Oracle Virtualization. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-14628	Oracle VM VirtualBox	Core	None	No	8.2	Local	Low	High	None	Changed	High	High	High	Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12	See Note 1
CVE-2020-14646	Oracle VM VirtualBox	Core	None	No	7.5	Local	High	High	None	Changed	High	High	High	Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14647	Oracle VM VirtualBox	Core	None	No	7.5	Local	High	High	None	Changed	High	High	High	Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14649	Oracle VM VirtualBox	Core	None	No	7.5	Local	High	High	None	Changed	High	High	High	Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14713	Oracle VM VirtualBox	Core	None	No	7.5	Local	High	High	None	Changed	High	High	High	Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14674	Oracle VM VirtualBox	Core	None	No	7.5	Local	High	High	None	Changed	High	High	High	Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14675	Oracle VM VirtualBox	Core	None	No	7.5	Local	High	High	None	Changed	High	High	High	Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14676	Oracle VM VirtualBox	Core	None	No	7.5	Local	High	High	None	Changed	High	High	High	Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14677	Oracle VM VirtualBox	Core	None	No	7.5	Local	High	High	None	Changed	High	High	High	Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14699	Oracle VM VirtualBox	Core	None	No	7.5	Local	High	High	None	Changed	High	High	High	Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14711	Oracle VM VirtualBox	Core	None	No	6.5	Local	Low	High	Required	Un- changed	High	High	High	Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12	See Note 2
CVE-2020-14629	Oracle VM VirtualBox	Core	None	No	6.0	Local	Low	High	None	Changed	High	None	None	Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14703	Oracle VM VirtualBox	Core	None	No	6.0	Local	Low	High	None	Changed	High	None	None	Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14704	Oracle VM VirtualBox	Core	None	No	6.0	Local	Low	High	None	Changed	High	None	None	Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14648	Oracle VM VirtualBox	Core	None	No	5.3	Local	High	High	None	Changed	High	None	None	Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14650	Oracle VM VirtualBox	Core	None	No	5.3	Local	High	High	None	Changed	High	None	None	Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14673	Oracle VM VirtualBox	Core	None	No	5.3	Local	High	High	None	Changed	High	None	None	Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14694	Oracle VM VirtualBox	Core	None	No	5.3	Local	High	High	None	Changed	High	None	None	Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14695	Oracle VM VirtualBox	Core	None	No	5.3	Local	High	High	None	Changed	High	None	None	Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14698	Oracle VM VirtualBox	Core	None	No	5.3	Local	High	High	None	Changed	High	None	None	Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14700	Oracle VM VirtualBox	Core	None	No	5.3	Local	High	High	None	Changed	High	None	None	Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14712	Oracle VM VirtualBox	Core	None	No	5.0	Local	Low	Low	Required	Un- changed	None	High	None	Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14707	Oracle VM VirtualBox	Core	None	No	5.0	Local	Low	Low	Required	Un- changed	None	None	High	Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14714	Oracle VM VirtualBox	Core	None	No	4.4	Local	Low	High	None	Un- changed	None	None	High	Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
CVE-2020-14715	Oracle VM VirtualBox	Core	None	No	4.4	Local	Low	High	None	Un- changed	None	None	High	Prior to 5.2.44, prior to 6.0.24, prior to 6.1.12

Notes:

The CVE-2020-14628 is applicable to Windows VM only.
The CVE-2020-14711 is applicable to macOS host only.