Oracle Critical Patch Update Advisory

Cloud Account Sign in to Cloud Sign Up for Free Cloud Tier

Oracle Account

Oracle Critical Patch Update Advisory - October 2020

Description

A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches address vulnerabilities in Oracle code and in third-party components included in Oracle products. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update Advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security patches. Refer to “Critical Patch Updates, Security Alerts and Bulletins” for information about Oracle Security advisories.

Starting with the October 2020 Critical Patch Update, Oracle lists updates that address vulnerabilities in third-party components which are not exploitable in the context of their inclusion in their respective Oracle product beneath the product's risk matrix. Oracle has published two versions of the October 2020 Critical Patch Update Advisory: this version of the advisory implemented the change in how non-exploitable vulnerabilities in third-party components are reported, and the “traditional” advisory follows the same format as the previous advisories. The “traditional” advisory is published at https://www.oracle.com/security-alerts/cpuoct2020traditional.html.

Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay.

This Critical Patch Update contains 403 new security patches across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at October 2020 Critical Patch Update: Executive Summary and Analysis.

Affected Products and Patch Information

Security vulnerabilities addressed by this Critical Patch Update affect the products listed below. The product area is shown in the Patch Availability Document column.

Please click on the links in the Patch Availability Document column below to access the documentation for patch availability information and installation instructions.

Affected Products and Versions	Patch Availability Document
Application Performance Management (APM), versions 13.3.0.0, 13.4.0.0	Enterprise Manager
Big Data Spatial and Graph, versions prior to 3.0	Database
Enterprise Manager Base Platform, versions 13.2.1.0, 13.3.0.0, 13.4.0.0	Enterprise Manager
Enterprise Manager for Peoplesoft, version 13.4.1.1	Enterprise Manager
Enterprise Manager for Storage Management, versions 13.3.0.0, 13.4.0.0	Enterprise Manager
Enterprise Manager Ops Center, version 12.4.0.0	Enterprise Manager
Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers, versions prior to XCP2362, prior to XCP3090	Systems
Fujitsu M12-1, M12-2, M12-2S Servers, versions prior to XCP3090	Systems
Hyperion Analytic Provider Services, version 11.1.2.4	Fusion Middleware
Hyperion BI+, version 11.1.2.4	Fusion Middleware
Hyperion Essbase, version 11.1.2.4	Fusion Middleware
Hyperion Infrastructure Technology, version 11.1.2.4	Fusion Middleware
Hyperion Lifecycle Management, version 11.1.2.4	Fusion Middleware
Hyperion Planning, version 11.1.2.4	Fusion Middleware
Identity Manager Connector, version 9.0	Fusion Middleware
Instantis EnterpriseTrack, versions 17.1, 17.2, 17.3	Oracle Construction and Engineering Suite
Management Pack for Oracle GoldenGate, version 12.2.1.2.0	Fusion Middleware
MySQL Cluster, versions 7.3.30 and prior, 7.4.29 and prior, 7.5.19 and prior, 7.6.15 and prior, 8.0.21 and prior	MySQL
MySQL Enterprise Monitor, versions 8.0.21 and prior	MySQL
MySQL Server, versions 5.6.49 and prior, 5.7.31 and prior, 8.0.21 and prior	MySQL
MySQL Workbench, versions 8.0.21 and prior	MySQL
Oracle Access Manager, version 11.1.2.3.0	Fusion Middleware
Oracle Agile PLM, versions 9.3.3, 9.3.5, 9.3.6	Oracle Supply Chain Products
Oracle Agile Product Lifecycle Management for Process, version 6.2.0.0	Oracle Supply Chain Products
Oracle Application Express, versions prior to 20.2	Database
Oracle Application Testing Suite, version 13.3.0.1	Enterprise Manager
Oracle Banking Corporate Lending, versions 12.3.0, 14.0.0-14.4.0	Oracle Financial Services Applications
Oracle Banking Digital Experience, versions 18.1, 18.2, 18.3, 19.1, 19.2, 20.1	Oracle Financial Services Applications
Oracle Banking Payments, versions 14.1.0-14.4.0	Oracle Financial Services Applications
Oracle Banking Platform, versions 2.4.0-2.10.0	Oracle Banking Platform
Oracle BI Publisher, versions 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Business Intelligence Enterprise Edition, versions 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Business Process Management Suite, versions 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Communications Application Session Controller, versions 3.8m0, 3.9m0p1	Oracle Communications Application Session Controller
Oracle Communications Billing and Revenue Management, versions 7.5.0.23.0, 12.0.0.2.0, 12.0.0.3.0	Oracle Communications Billing and Revenue Management
Oracle Communications BRM - Elastic Charging Engine, versions 11.3.0.9.0, 12.0.0.3.0	Oracle Communications BRM - Elastic Charging Engine
Oracle Communications Diameter Signaling Router (DSR), versions 8.0.0.0-8.4.0.5, [IDIH] 8.0.0-8.2.2	Oracle Communications Diameter Signaling Router
Oracle Communications EAGLE Software, versions 46.6.0-46.8.2	Oracle Communications EAGLE
Oracle Communications Element Manager, versions 8.2.0-8.2.2	Oracle Communications Element Manager
Oracle Communications Evolved Communications Application Server, version 7.1	Oracle Communications Evolved Communications Application Server
Oracle Communications Messaging Server, version 8.1	Oracle Communications Messaging Server
Oracle Communications Offline Mediation Controller, version 12.0.0.3.0	Oracle Communications Offline Mediation Controller
Oracle Communications Services Gatekeeper, version 7	Oracle Communications Services Gatekeeper
Oracle Communications Session Border Controller, versions 8.2-8.4	Oracle Communications Session Border Controller
Oracle Communications Session Report Manager, versions 8.2.0-8.2.2	Oracle Communications Session Report Manager
Oracle Communications Session Route Manager, versions 8.2.0-8.2.2	Oracle Communications Session Route Manager
Oracle Communications Unified Inventory Management, versions 7.3.0, 7.4.0	Oracle Communications Unified Inventory Management
Oracle Communications WebRTC Session Controller, version 7.2	Oracle Communications WebRTC Session Controller
Oracle Data Integrator, versions 11.1.1.9.0, 12.2.1.3.0	Fusion Middleware
Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c	Database
Oracle E-Business Suite, versions 12.1.1-12.1.3, 12.2.3-12.2.10	E-Business Suite
Oracle Endeca Information Discovery Integrator, version 3.2.0	Fusion Middleware
Oracle Endeca Information Discovery Studio, version 3.2.0	Fusion Middleware
Oracle Enterprise Repository, version 11.1.1.7.0	Fusion Middleware
Oracle Enterprise Session Border Controller, version 8.4	Oracle Enterprise Session Border Controller
Oracle Financial Services Analytical Applications Infrastructure, versions 8.0.6-8.1.0	Oracle Financial Services Analytical Applications Infrastructure
Oracle Financial Services Analytical Applications Reconciliation Framework, versions 8.0.6-8.0.8, 8.1.0	Oracle Financial Services Analytical Applications Reconciliation Framework
Oracle Financial Services Asset Liability Management, versions 8.0.6, 8.0.7, 8.1.0	Oracle Financial Services Asset Liability Management
Oracle Financial Services Balance Sheet Planning, version 8.0.8	Oracle Financial Services Balance Sheet Planning
Oracle Financial Services Basel Regulatory Capital Basic, versions 8.0.6-8.0.8, 8.1.0	Oracle Financial Services Basel Regulatory Capital Basic
Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach, versions 8.0.6-8.0.8, 8.1.0	Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach
Oracle Financial Services Data Foundation, versions 8.0.6-8.1.0	Oracle Financial Services Data Foundation
Oracle Financial Services Data Governance for US Regulatory Reporting, versions 8.0.6-8.0.9	Oracle Financial Services Data Governance for US Regulatory Reporting
Oracle Financial Services Data Integration Hub, versions 8.0.6, 8.0.7, 8.1.0	Oracle Financial Services Data Integration Hub
Oracle Financial Services Funds Transfer Pricing, versions 8.0.6, 8.0.7, 8.1.0	Oracle Financial Services Funds Transfer Pricing
Oracle Financial Services Hedge Management and IFRS Valuations, versions 8.0.6-8.0.8, 8.1.0	Oracle Financial Services Hedge Management and IFRS Valuations
Oracle Financial Services Institutional Performance Analytics, versions 8.0.6, 8.0.7, 8.1.0, 8.7.0	Oracle Financial Services Institutional Performance Analytics
Oracle Financial Services Liquidity Risk Management, version 8.0.6	Oracle Financial Services Liquidity Risk Management
Oracle Financial Services Liquidity Risk Measurement and Management, versions 8.0.7, 8.0.8, 8.1.0	Oracle Financial Services Liquidity Risk Measurement and Management
Oracle Financial Services Loan Loss Forecasting and Provisioning, versions 8.0.6-8.0.8, 8.1.0	Oracle Financial Services Loan Loss Forecasting and Provisioning
Oracle Financial Services Market Risk Measurement and Management, versions 8.0.6, 8.0.8, 8.1.0	Oracle Financial Services Market Risk Measurement and Management
Oracle Financial Services Price Creation and Discovery, versions 8.0.6, 8.0.7	Oracle Financial Services Price Creation And Discovery
Oracle Financial Services Profitability Management, versions 8.0.6, 8.0.7, 8.1.0	Oracle Financial Services Profitability Management
Oracle Financial Services Regulatory Reporting for European Banking Authority, versions 8.0.6-8.1.0	Oracle Financial Services Regulatory Reporting for European Banking Authority
Oracle Financial Services Regulatory Reporting for US Federal Reserve, versions 8.0.6-8.0.9	Oracle Financial Services Regulatory Reporting for US Federal Reserve
Oracle Financial Services Regulatory Reporting with AgileREPORTER, version 8.0.9.2.0	Oracle Financial Services Regulatory Reporting with AgileREPORTER
Oracle Financial Services Retail Customer Analytics, version 8.0.6	Oracle Financial Services Retail Customer Analytics
Oracle FLEXCUBE Core Banking, versions 5.2.0, 11.5.0-11.7.0	Oracle Financial Services Applications
Oracle FLEXCUBE Direct Banking, versions 12.0.1, 12.0.2, 12.0.3	Oracle Financial Services Applications
Oracle FLEXCUBE Private Banking, versions 12.0.0, 12.1.0	Oracle Financial Services Applications
Oracle FLEXCUBE Universal Banking, versions 12.3.0, 14.0.0-14.4.0	Oracle Financial Services Applications
Oracle GoldenGate Application Adapters, versions 12.3.2.1.0, 19.1.0.0.0	Fusion Middleware
Oracle GraalVM Enterprise Edition, versions 19.3.3, 20.2.0	Oracle GraalVM Enterprise Edition
Oracle Health Sciences Empirica Signal, version 9.0	Health Sciences
Oracle Healthcare Data Repository, version 7.0.1	Health Sciences
Oracle Healthcare Foundation, versions 7.1.1, 7.2.0, 7.2.1, 7.3.0	Health Sciences
Oracle Hospitality Guest Access, versions 4.2.0, 4.2.1	Oracle Hospitality Guest Access
Oracle Hospitality Materials Control, version 18.1	Oracle Hospitality Materials Control
Oracle Hospitality OPERA 5 Property Services, versions 5.5, 5.6	Oracle Hospitality OPERA 5 Property Services
Oracle Hospitality Reporting and Analytics, version 9.1.0	Oracle Hospitality Reporting and Analytics
Oracle Hospitality RES 3700, version 5.7	Oracle Hospitality RES
Oracle Hospitality Simphony, versions 18.1, 18.2, 19.1.0-19.1.2	Oracle Hospitality Simphony
Oracle Hospitality Suite8, versions 8.10.2, 8.11-8.14	Oracle Hospitality Suite8
Oracle HTTP Server, versions 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Insurance Accounting Analyzer, version 8.0.9	Oracle Insurance Accounting Analyzer
Oracle Insurance Allocation Manager for Enterprise Profitability, versions 8.0.8, 8.1.0	Oracle Insurance Allocation Manager for Enterprise Profitability
Oracle Insurance Data Foundation, versions 8.0.6-8.1.0	Oracle Insurance Data Foundation
Oracle Insurance Insbridge Rating and Underwriting, versions 5.0.0.0-5.6.0.0, 5.6.1.0	Oracle Insurance Applications
Oracle Insurance Policy Administration J2EE, versions 10.2.0.37, 10.2.4.12, 11.0.2.25, 11.1.0.15, 11.2.0.26, 11.2.2.0	Oracle Insurance Applications
Oracle Insurance Rules Palette, versions 10.2.0.37, 10.2.4.12, 11.0.2.25, 11.1.0.15, 11.2.0.26	Oracle Insurance Applications
Oracle Java SE, versions 7u271, 8u261, 11.0.8, 15	Java SE
Oracle Java SE Embedded, version 8u261	Java SE
Oracle JDeveloper, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Managed File Transfer, versions 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Outside In Technology, versions 8.5.4, 8.5.5	Fusion Middleware
Oracle Policy Automation, versions 12.2.0-12.2.20	Oracle Policy Automation
Oracle Policy Automation Connector for Siebel, version 10.4.6	Oracle Policy Automation
Oracle Policy Automation for Mobile Devices, versions 12.2.0-12.2.20	Oracle Policy Automation
Oracle REST Data Services, versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c, [Standalone ORDS] prior to 20.2.1	Database
Oracle Retail Advanced Inventory Planning, version 14.1	Retail Applications
Oracle Retail Assortment Planning, versions 15.0.3.0, 16.0.3.0	Retail Applications
Oracle Retail Back Office, versions 14.0, 14.1	Retail Applications
Oracle Retail Bulk Data Integration, versions 15.0.3.0, 16.0.3.0	Retail Applications
Oracle Retail Central Office, versions 14.0, 14.1	Retail Applications
Oracle Retail Customer Management and Segmentation Foundation, versions 18.0, 19.0	Retail Applications
Oracle Retail Integration Bus, versions 14.1, 15.0, 16.0	Retail Applications
Oracle Retail Order Broker, versions 15.0, 16.0, 18.0, 19.0, 19.1, 19.2, 19.3	Retail Applications
Oracle Retail Point-of-Service, versions 14.0, 14.1	Retail Applications
Oracle Retail Predictive Application Server, versions 14.1.3.0, 15.0.3.0, 16.0.3.0	Retail Applications
Oracle Retail Price Management, versions 14.0.4, 14.1.3.0, 15.0.3.0, 16.0.3.0	Retail Applications
Oracle Retail Returns Management, versions 14.0, 14.1	Retail Applications
Oracle Retail Service Backbone, versions 14.1, 15.0, 16.0	Retail Applications
Oracle Retail Xstore Point of Service, versions 15.0.3, 16.0.5, 17.0.3, 18.0.2, 19.0.1	Retail Applications
Oracle Solaris, versions 10, 11	Systems
Oracle TimesTen In-Memory Database, versions prior to 11.2.2.8.49, prior to 18.1.3.1.0, prior to 18.1.4.1.0	Database
Oracle Transportation Management, version 6.3.7	Oracle Supply Chain Products
Oracle Utilities Framework, versions 2.2.0.0.0, 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0-4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0	Oracle Utilities Applications
Oracle VM VirtualBox, versions prior to 6.1.16	Virtualization
Oracle WebCenter Portal, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0	Fusion Middleware
Oracle ZFS Storage Appliance Kit, version 8.8	Systems
PeopleSoft Enterprise HCM Global Payroll Core, version 9.2	PeopleSoft
PeopleSoft Enterprise PeopleTools, versions 8.56, 8.57, 8.58	PeopleSoft
PeopleSoft Enterprise SCM eSupplier Connection, version 9.2	PeopleSoft
Primavera Gateway, versions 16.2.0-16.2.11, 17.12.0-17.12.8	Oracle Construction and Engineering Suite
Primavera Unifier, versions 16.1, 16.2, 17.7-17.12, 18.8, 19.12	Oracle Construction and Engineering Suite
Siebel Applications, versions 20.7, 20.8	Siebel

Note:

Vulnerabilities affecting either Oracle Database or Oracle Fusion Middleware may affect Oracle Fusion Applications, so Oracle customers should refer to Oracle Fusion Applications Critical Patch Update Knowledge Document, My Oracle Support Note 1967316.1 for information on patches to be applied to Fusion Application environments.
Vulnerabilities affecting Oracle Solaris may affect Oracle ZFSSA so Oracle customers should refer to the Oracle and Sun Systems Product Suite Critical Patch Update Knowledge Document, My Oracle Support Note 2160904.1 for information on minimum revisions of security patches required to resolve ZFSSA issues published in Critical Patch Updates and Solaris Third Party bulletins.
Solaris Third Party Bulletins are used to announce security patches for third party software distributed with Oracle Solaris. Solaris 10 customers should refer to the latest patch-sets which contain critical security fixes and detailed in Systems Patch Availability Document. Please see Reference Index of CVE IDs and Solaris Patches (My Oracle Support Note 1448883.1) for more information.
Users running Java SE with a browser can download the latest release from https://java.com. Users on the Windows and Mac OS X platforms can also use automatic updates to get the latest release.

Risk Matrix Content

Risk matrices list only security vulnerabilities that are newly addressed by the patches associated with this advisory. Risk matrices for previous security patches can be found in previous Critical Patch Update advisories and Alerts. An English text version of the risk matrices provided in this document is here.

Several vulnerabilities addressed in this Critical Patch Update affect multiple products. Each vulnerability is identified by a CVE# which is its unique identifier. A vulnerability that affects multiple products will appear with the same CVE# in all risk matrices. A CVE# shown in italics indicates that this vulnerability impacts a different product, but also has impact on the product where the italicized CVE# is listed.

Security vulnerabilities are scored using CVSS version 3.1 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS version 3.1).

Oracle conducts an analysis of each security vulnerability addressed by a Critical Patch Update. Oracle does not disclose detailed information about this security analysis to customers, but the resulting Risk Matrix and associated documentation provide information about the type of vulnerability, the conditions required to exploit it, and the potential impact of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage. For more information, see Oracle vulnerability disclosure policies.

The protocol in the risk matrix implies that all of its secure variants (if applicable) are affected as well. For example, if HTTP is listed as an affected protocol, it implies that HTTPS (if applicable) is also affected. The secure variant of a protocol is listed in the risk matrix only if it is the only variant affected, e.g. HTTPS will typically be listed for vulnerabilities in SSL and TLS.

Workarounds

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update security patches as soon as possible. Until you apply the Critical Patch Update patches, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem.

Skipped Critical Patch Updates

Oracle strongly recommends that customers apply security patches as soon as possible. For customers that have skipped one or more Critical Patch Updates and are concerned about products that do not have security patches announced in this Critical Patch Update, please review previous Critical Patch Update advisories to determine appropriate actions.

Critical Patch Update Supported Products and Versions

Patches released through the Critical Patch Update program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. Oracle recommends that customers plan product upgrades to ensure that patches released through the Critical Patch Update program are available for the versions they are currently running.

Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Critical Patch Update. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.

Database, Fusion Middleware, and Oracle Enterprise Manager products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.

Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Critical Patch Update to Oracle:

0rich1 Ant Security FG Lab: CVE-2020-14841
Aaron Carreras of FireEye: CVE-2020-14871
Abdulrahman Nour of Redforce: CVE-2020-14823
Ahmed Elhady Mohamed of Ahmed Mohamed: CVE-2020-14768
Akshay Gaikwad: CVE-2020-14762
Alessandro Bosco of TIM S.p.A: CVE-2020-14842, CVE-2020-14843
Alexander Kornbrust of Red Database Security: CVE-2020-14742, CVE-2020-14901
Alves Christopher of Telecom Nancy: CVE-2020-14867
Ammarit Thongthua of Secure D Center Cybersecurity Team: CVE-2020-14778
Amy Tran: CVE-2020-14822, CVE-2020-14831, CVE-2020-14833, CVE-2020-14834, CVE-2020-14849, CVE-2020-14850, CVE-2020-14851, CVE-2020-14856, CVE-2020-14857
Andrej Simko of Accenture: CVE-2020-14774, CVE-2020-14808
Anonymous researcher working with Trend Micro's Zero Day Initiative: CVE-2020-14841, CVE-2020-14881, CVE-2020-14884, CVE-2020-14885, CVE-2020-14886
Bui Duong from Viettel Cyber Security: CVE-2020-14879, CVE-2020-14880
Chi Tran: CVE-2020-14822, CVE-2020-14831, CVE-2020-14833, CVE-2020-14834, CVE-2020-14849, CVE-2020-14850, CVE-2020-14851, CVE-2020-14856, CVE-2020-14857
codeplutos of AntGroup FG Security Lab: CVE-2020-14825
Damian Bury: CVE-2020-14767, CVE-2020-14770
Darragh Duffy: CVE-2020-14744
Eddie Zhu of Beijing DBSEC Technology Co., Ltd: CVE-2020-14741
Edoardo Predieri of TIM S.p.A: CVE-2020-14842, CVE-2020-14843
Fabio Minarelli of TIM S.p.A: CVE-2020-14842, CVE-2020-14843
Filip Ceglik: CVE-2020-14772
Francesco Russo of TIM S.p.A: CVE-2020-14842, CVE-2020-14843
François Goichon of Google: CVE-2020-14735
Gaoning Pan of Zhejiang University & Ant Security Light-Year Lab: CVE-2020-14872, CVE-2020-14892
Graham Rymer of University Information Services, University of Cambridge: CVE-2020-14840
Hangfan Zhang: CVE-2020-14828
Ioannis Charalambous of NCC Group: CVE-2020-14787, CVE-2020-14788
Ivo Palazzolo of Daimler TSS: CVE-2020-14864
Jacob Thompson of FireEye: CVE-2020-14871
Jakub Palaczynski: CVE-2020-14740, CVE-2020-14752
Jakub Plusczok: CVE-2020-14854
Jeffrey Martin of Rapid7: CVE-2020-14871
Joe Almeida of Globlue Technologies: CVE-2020-14815
Julien Zhan of Telecom Nancy: CVE-2020-14867
Khuyen Nguyen of secgit.com: CVE-2020-14816, CVE-2020-14817, CVE-2020-14819, CVE-2020-14835
Kritsada Sunthornwutthikrai of Secure D Center Cybersecurity Team: CVE-2020-14778
Kylinking of NSFocus Security Team: CVE-2020-14841
Larry W. Cashdollar: CVE-2020-14758, CVE-2020-14759
Le Xuan Tuyen - VNPT ISC working with Trend Micro Zero Day Initiative: CVE-2020-14841, CVE-2020-14859
Long Nguyễn Hữu Vũ: CVE-2020-14863
Longofo of Knownsec 404 Team: CVE-2020-14841
Luca Di Giuseppe of TIM S.p.A: CVE-2020-14842, CVE-2020-14843
Markus Loewe: CVE-2020-14796, CVE-2020-14797, CVE-2020-14798
Massimiliano Brolli of TIM S.p.A: CVE-2020-14842, CVE-2020-14843
Mateusz Dabrowski: CVE-2020-14784
Philippe Antoine of Telecom Nancy: CVE-2020-14867
Piotr Madej of ING Tech Poland: CVE-2020-14740
Preeyakorn Keadsai of Secure D Center Cybersecurity Team: CVE-2020-14778
Quynh Le of VNPT ISC working with Trend Micro Zero Day Initiative: CVE-2020-14825
r0 from A-TEAM of Legendsec at Qi'anxin Group: CVE-2020-14841
Roger Meyer: CVE-2020-14745
Rui Zhong: CVE-2020-14828
Sergey Ostanin: CVE-2020-14781
Shiva Gupta of Shiva Hacker One: CVE-2020-14890, CVE-2020-14897
Spyridon Chatzimichail of OTE Hellenic Telecommunications Organization S.A.: CVE-2020-14764
Thai Nguyen of ECQ: CVE-2020-14826
thiscodecc: CVE-2020-14825
Tomasz Stachowicz: CVE-2020-14780
Trung Le: CVE-2020-14822, CVE-2020-14831, CVE-2020-14833, CVE-2020-14834, CVE-2020-14849, CVE-2020-14850, CVE-2020-14851, CVE-2020-14856, CVE-2020-14857
Tuan Anh Nguyen of Viettel Cyber Security: CVE-2020-14855, CVE-2020-14862, CVE-2020-14875
Tuan Anh Nguyen of Viettel Cyber Security working with Trend Micro Zero Day Initiative: CVE-2020-14876
Ved Prabhu: CVE-2020-14762, CVE-2020-14763, CVE-2020-14898, CVE-2020-14899, CVE-2020-14900
Venustech ADLab: CVE-2020-14820
Viktor Gazdag of NCC Group: CVE-2020-14787, CVE-2020-14788
voidfyoo of Chaitin Security Research Lab: CVE-2020-14882, CVE-2020-14883
Walid Faour: CVE-2020-14783
Xingwei Lin of Ant Security Light-Year Lab: CVE-2020-14872, CVE-2020-14889, CVE-2020-14892
Xinlei Ying of Ant Security Light-Year Lab: CVE-2020-14892
Xu Yuanzhen of Alibaba Cloud Security Team: CVE-2020-14841
Yaoguang Chen of Ant Security Light-Year Lab: CVE-2020-14828, CVE-2020-14861, CVE-2020-14893
Yi Ren of Alibaba: CVE-2020-14790, CVE-2020-14828
Yongheng Chen: CVE-2020-14828
Yu Wang of BMH Security Team: CVE-2020-14841
Yuyue Wang of Alibaba: CVE-2020-14828
Zhiqiang Zang of University of Texas at Austin: CVE-2020-14792
Zouhair Janatil-Idrissi of Telecom Nancy: CVE-2020-14867

Security-In-Depth Contributors

Oracle acknowledges people who have contributed to our Security-In-Depth program (see FAQ). People are acknowledged for Security-In-Depth contributions if they provide information, observations or suggestions pertaining to security vulnerability issues that result in significant modification of Oracle code or documentation in future releases, but are not of such a critical nature that they are distributed in Critical Patch Updates.

In this Critical Patch Update, Oracle recognizes the following for contributions to Oracle's Security-In-Depth program.:

Amy Tran [35 reports]
Chi Tran [35 reports]
David Wilkins
Markus Loewe [2 reports]
Mateusz Dabrowski
Trung Le [35 reports]

On-Line Presence Security Contributors

Oracle acknowledges people who have contributed to our On-Line Presence Security program (see FAQ). People are acknowledged for contributions relating to Oracle's on-line presence if they provide information, observations or suggestions pertaining to security-related issues that result in significant modification to Oracle's on-line external-facing systems.

For this quarter, Oracle recognizes the following for contributions to Oracle's On-Line Presence Security program:

Abdulrahman Ahmed [3 reports]
Abhishek Morla
Adam Willard [2 reports]
Adam Willard of Raytheon Foreground Security
Adarsh VS Mannarakkal
Ahmed Elmalky
Ahmed Omer Morve
Ai Ho (j3ssiejjj)
Alex Munene
Alisha Sheikh
Anil Bhatt
Anurag Kumar Rawat (A1C3VENOM)
Ayan Saha
Badal Sardhara
Bindiya Sardhara
Bui Dinh Bao aka 0xd0ff9 of Zalo Security Team (VNG Corp).
Danny
Dhiraj Mishra
Funny Tech
Gaurav Kumar
Gourab Sadhukhan
Harsh Mukeshbhai Joshi [2 reports]
Himanshu Phulwariya
Karthick Selvaraj
Kartik Sharma
Kaustubh Kale
Kirtan Patel
Kryptos Logic - Threat Intelligence Platform
Kunal Gambhir
Magrabur Alam Sofily
Mansouri Badis
Marwan Ali Albahar [2 reports]
Matthew Harlow of EthicalHacker 20
Mayank Kumar
Mayank Malik, Kartik Sharma
Micah Van Deusen
Omkar Ghaisas
Osman Ahmed Hassan
Pankaj Kumar Thakur from Nepal [3 reports]
Pratish Bhansali
Ria from iZOOlogic
Riccardo Donini
Rick Verdoes & Danny de Weille of HackDefense
Robert Lee Dick [2 reports]
Roger Meyer
Ronak Nahar
Rudi Andriano
Ryan awsmhacks Preston
Sai Prashanth Pulisetti
Sameer Goyal
Shahid Ahmed [2 reports]
Shivang Trivedi [2 reports]
Shubham Kalaria
Shubham Maheshwari
Sidney Omondi of Salaam Technology
Siva Pathela
Soumajit Mukherjee
Sparsh Gupta
Srikar V - exp1o1t9r
Sumit Sah
Supun Madubashana Halangoda
Suresh Nadar
Swapnil Maurya - "swapmaurya20"
Syed Muhammad Asim [2 reports]
Vaibhav Gaikwad of Knock Security Solutions
Venkata Sateesh Netti (str4n63r)
Walid Hossain
Yassine Triki
Yatin Sharma

Critical Patch Update Schedule

Critical Patch Updates are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

19 January 2021
20 April 2021
20 July 2021
19 October 2021

References

Modification History

Date	Note
2020-December-8	Rev 6. Added a note for CVE-2020-14871.
2020-November-16	Rev 5. Updated Oracle ZFS Storage Appliance Kit row to include CVE-2020-14871.
2020-October-29	Rev 4. Added CVE-2018-2765.
2020-October-27	Rev 3. Credit statement update.
2020-October-22	Rev 2. Affected versions change for CVE-2020-14807, CVE-2020-14810 and credit statement update.
2020-October-20	Rev 1. Initial Release.

Oracle Database Products Risk Matrices

This Critical Patch Update contains 29 new security patches for Oracle Database Products divided as follows:

19 new security patches for Oracle Database Products
1 new security patch for Oracle Big Data Graph
5 new security patches for Oracle REST Data Services
4 new security patches for Oracle TimesTen In-Memory Database

Oracle Database Server Risk Matrix

This Critical Patch Update contains 19 new security patches plus additional third party patches noted below for Oracle Database Products. 5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 1 of these patches is applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.

CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-12900	Core RDBMS (bzip2)	DBA Level Account	Oracle Net	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2020-14735	Scheduler	Local Logon	None	No	8.8	Local	Low	Low	None	Changed	High	High	High	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2020-14734	Oracle Text	None	Oracle Net	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2018-2765	Oracle SSL API	None	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	11.2.0.4, 12.1.0.2, 12.2.0.1
CVE-2020-13935	Workload Manager (Apache Tomcat)	None	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.2.0.1, 18c, 19c
CVE-2020-11023	Oracle Application Express (jQuery)	None	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	Prior to 20.2
CVE-2020-11023	ORDS (jQuery)	None	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c	See Note 1
CVE-2020-14762	Oracle Application Express	SQL Workshop	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	Prior to 20.2
CVE-2020-9281	Oracle Application Express	Valid User Account	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	Prior to 20.2
CVE-2020-14899	Oracle Application Express Data Reporter	Valid User Account	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	Prior to 20.2
CVE-2020-14900	Oracle Application Express Group Calendar	Valid User Account	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	Prior to 20.2
CVE-2020-14898	Oracle Application Express Packaged Apps	Valid User Account	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	Prior to 20.2
CVE-2020-14763	Oracle Application Express Quick Poll	Valid User Account	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	Prior to 20.2
CVE-2020-14741	Database Filesystem	Resource, Create Table, Create View, Create Procedure, Dbfs_role	Oracle Net	No	4.9	Network	Low	High	None	Un- changed	None	None	High	11.2.0.4, 12.1.0.2, 12.2.0.1
CVE-2020-14901	RDBMS Security	Analyze Any	Oracle Net	No	4.9	Network	Low	High	None	Un- changed	High	None	None	19c
CVE-2020-14736	Database Vault	Create Public Synonym	Oracle Net	No	3.8	Network	Low	High	None	Un- changed	Low	Low	None	11.2.0.4, 12.1.0.2, 12.2.0.1
CVE-2020-14743	Java VM	Create Procedure	Multiple	No	3.1	Network	High	Low	None	Un- changed	None	Low	None	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2020-14740	SQL Developer Install	Client Computer User Account	Local Logon	No	2.8	Local	Low	Low	Required	Un- changed	Low	None	None	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c
CVE-2020-14742	Core RDBMS	SYSDBA level account	Oracle Net	No	2.7	Network	Low	High	None	Un- changed	None	Low	None	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c

Notes:

Additional ORDS bugs are documented in the risk matrix "Oracle REST Data Services Risk Matrix"

Additional CVEs addressed are:

The patch for CVE-2019-12900 also addresses CVE-2016-3189
The patch for CVE-2020-11023 also addresses CVE-2019-11358 and CVE-2020-11022
The patch for CVE-2020-13935 also addresses CVE-2020-11996, CVE-2020-13934 and CVE-2020-9484
The patch for CVE-2020-14734 also addresses CVE-2016-10244, CVE-2016-10328, CVE-2016-5300, CVE-2016-6153, CVE-2017-10989, CVE-2017-13685, CVE-2017-13745, CVE-2017-14232, CVE-2017-15286, CVE-2017-7857, CVE-2017-7858, CVE-2017-7864, CVE-2017-8105, CVE-2017-8287, CVE-2018-18873, CVE-2018-19139, CVE-2018-19539, CVE-2018-19540, CVE-2018-19541, CVE-2018-19542, CVE-2018-19543, CVE-2018-20346, CVE-2018-20505, CVE-2018-20506, CVE-2018-20570, CVE-2018-20584, CVE-2018-20622, CVE-2018-20843, CVE-2018-6942, CVE-2018-8740, CVE-2018-9055, CVE-2018-9154, CVE-2018-9252, CVE-2019-15903, CVE-2019-16168, CVE-2019-5018, CVE-2019-8457, CVE-2019-9936 and CVE-2019-9937

Additional patches are included in this Critical Patch Update for the following non-exploitable CVEs in this Oracle product family:

Core RDBMS (LZ4): CVE-2019-17543
Core RDBMS (Zstandard): CVE-2019-11922
Oracle Database (Perl Expat): CVE-2018-20843 and CVE-2019-15903
Oracle Spatial and Graph (Apache Log4j): CVE-2020-9488
Oracle Spatial and Graph (jackson-databind): CVE-2019-16943, CVE-2017-15095, CVE-2017-17485, CVE-2017-7525, CVE-2018-5968, CVE-2018-7489, CVE-2019-16942 and CVE-2019-17531
Oracle Spatial and Graph MapViewer (jQuery): CVE-2020-11023, CVE-2019-11358 and CVE-2020-11022
SQL Developer (Apache Batik): CVE-2018-8013 and CVE-2017-5662
SQL Developer (Apache Log4j): CVE-2017-5645
SQL Developer (Apache POI): CVE-2017-12626, CVE-2016-5000, CVE-2017-5644 and CVE-2019-12415
SQL Developer (jackson-databind): CVE-2018-7489, CVE-2017-15095, CVE-2017-17485, CVE-2018-1000873, CVE-2018-11307, CVE-2018-12022, CVE-2018-5968, CVE-2019-12086, CVE-2019-12384, CVE-2019-12814, CVE-2019-16335, CVE-2019-20330 and CVE-2020-8840
SQL Developer (JCraft JSch): CVE-2016-5725
SQL Developer Install (Bouncy Castle): CVE-2019-17359, CVE-2016-1000338, CVE-2016-1000339, CVE-2016-1000340, CVE-2016-1000341, CVE-2016-1000342, CVE-2016-1000343, CVE-2016-1000344, CVE-2016-1000345, CVE-2016-1000346, CVE-2016-1000352, CVE-2017-13098, CVE-2018-1000180, CVE-2018-1000613 and CVE-2018-5382

Oracle Database Server Client-Only Installations

The following Oracle Database Server vulnerability included in this Critical Patch Update affects client-only installations: CVE-2020-14740.

Oracle Big Data Graph Risk Matrix

This Critical Patch Update contains 1 new security patch plus additional third party patches noted below for Oracle Big Data Graph. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-0192	Big Data Spatial and Graph	Property Graph Analytics (Apache Solr)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	Prior to 3.0

Additional CVEs addressed are:

The patch for CVE-2019-0192 also addresses CVE-2017-3164

Additional patches are included in this Critical Patch Update for the following non-exploitable CVEs in this Oracle product family:

Big Data Spatial and Graph
- Property Graph Analytics (jQuery): CVE-2015-9251
- Property Graph Analytics (jackson-databind): CVE-2020-9546, CVE-2015-9251, CVE-2017-5645, CVE-2018-12023, CVE-2018-14718, CVE-2018-7489, CVE-2019-10744, CVE-2019-12086, CVE-2019-14379, CVE-2019-16943, CVE-2020-10650, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-11619, CVE-2020-11620, CVE-2020-14195, CVE-2020-9547 and CVE-2020-9548
- Property Graph Analytics (lodash): CVE-2019-10744
- Property Graph Analytics (Apache Log4j): CVE-2017-5645

Oracle REST Data Services Risk Matrix

This Critical Patch Update contains 5 new security patches plus additional third party patches noted below for Oracle REST Data Services. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-7658	Oracle REST Data Services	General (Eclipse Jetty)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c
CVE-2016-1000031	Oracle REST Data Services	General (Apache Commons FileUpload)	HTTP	No	8.0	Network	Low	Low	Required	Un- changed	High	High	High	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c
CVE-2020-14744	Oracle REST Data Services	General	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c; Standalone ORDS: prior to 20.2.1
CVE-2020-11023	Oracle REST Data Services	General (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c; Standalone ORDS: prior to 20.2.1
CVE-2020-14745	Oracle REST Data Services	General	HTTP	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c; Standalone ORDS: prior to 20.2.1

Additional CVEs addressed are:

The patch for CVE-2017-7658 also addresses CVE-2016-4800, CVE-2017-7656, CVE-2017-7657, CVE-2017-9735, CVE-2018-12536, CVE-2018-12538, CVE-2018-12545, CVE-2019-10241, CVE-2019-10246, CVE-2019-10247 and CVE-2019-17632
The patch for CVE-2020-11023 also addresses CVE-2019-11358 and CVE-2020-11022

Additional patches are included in this Critical Patch Update for the following non-exploitable CVEs in this Oracle product family:

Oracle REST Data Services
- General (Apache Batik): CVE-2018-8013 and CVE-2017-5662
- General (jackson-databind): CVE-2019-16335, CVE-2019-12814, CVE-2019-14540, CVE-2019-14893, CVE-2019-17531, CVE-2019-20330, CVE-2020-11113, CVE-2020-11620 and CVE-2020-8840

Oracle TimesTen In-Memory Database Risk Matrix

This Critical Patch Update contains 4 new security patches for Oracle TimesTen In-Memory Database. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-11058	Oracle TimesTen In-Memory Database	EM TimesTen plugin (RSA BSAFE Crypto-C)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	Prior to 18.1.4.1.0
CVE-2017-5645	Oracle TimesTen In-Memory Database	Install (Apache Log4j)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	Prior to 11.2.2.8.49
CVE-2019-1010239	Oracle TimesTen In-Memory Database	Install (Dave Gamble/cJSON)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	Prior to 18.1.3.1.0
CVE-2019-0201	Oracle TimesTen In-Memory Database	Install (Apache ZooKeeper)	ZAB	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	Prior to 18.1.3.1.0

Additional CVEs addressed are:

The patch for CVE-2017-5645 also addresses CVE-2020-1945
The patch for CVE-2018-11058 also addresses CVE-2016-0701, CVE-2016-2183, CVE-2016-6306, CVE-2016-8610, CVE-2018-11054, CVE-2018-11055, CVE-2018-11056, CVE-2018-11057 and CVE-2018-15769
The patch for CVE-2019-1010239 also addresses CVE-2019-11834 and CVE-2019-11835

Oracle Communications Applications Risk Matrix

This Critical Patch Update contains 9 new security patches for Oracle Communications Applications. 8 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-10173	Oracle Communications BRM - Elastic Charging Engine	Diameter Gateway and SDK (xstream)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.3.0.9.0, 12.0.0.3.0
CVE-2020-10683	Oracle Communications Unified Inventory Management	Core (dom4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	7.3.0, 7.4.0
CVE-2019-10173	Oracle Communications Unified Inventory Management	Core (xstream)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	7.3.0, 7.4.0
CVE-2020-10878	Oracle Communications Billing and Revenue Management	Core (Perl)	TCP	Yes	8.6	Network	Low	None	None	Un- changed	Low	Low	High	12.0.0.2.0, 12.0.0.3.0
CVE-2020-11022	Oracle Communications Billing and Revenue Management	Billing Operation Center and Oracle Communication Billing Care (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	7.5.0.23.0, 12.0.0.3.0
CVE-2020-9489	Oracle Communications Messaging Server	Core (Apache Tika)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	8.1
CVE-2020-9488	Oracle Communications Billing and Revenue Management	Billing Operation Center and Oracle Communication Billing Care (Apache Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	7.5.0.23.0, 12.0.0.3.0
CVE-2020-9488	Oracle Communications Offline Mediation Controller	Core (Apache Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	12.0.0.3.0
CVE-2020-9488	Oracle Communications Unified Inventory Management	Core (Apache Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	7.3.0, 7.4.0

Additional CVEs addressed are:

The patch for CVE-2020-10878 also addresses CVE-2020-10543 and CVE-2020-12723
The patch for CVE-2020-11022 also addresses CVE-2020-11023

Oracle Communications Risk Matrix

This Critical Patch Update contains 52 new security patches for Oracle Communications. 41 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-10683	Oracle Communications Application Session Controller	WS and WEB (dom4j)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	3.9m0p1
CVE-2020-11973	Oracle Communications Diameter Signaling Router (DSR)	IDIH (Apache Camel)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	IDIH: 8.0.0-8.2.2
CVE-2020-2555	Oracle Communications Diameter Signaling Router (DSR)	IDIH (Oracle Coherence)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	IDIH: 8.0.0-8.2.2
CVE-2020-10683	Oracle Communications Diameter Signaling Router (DSR)	IDIH (dom4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	IDIH: 8.0.0-8.2.2
CVE-2019-2904	Oracle Communications Diameter Signaling Router (DSR)	Platform (Application Development Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.0.0-8.4.0.5
CVE-2019-12260	Oracle Communications EAGLE Software	Network Stack (Wind River VxWorks)	TCP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	46.6.0-46.8.2
CVE-2020-11984	Oracle Communications Element Manager	Core (Apache HTTP Server)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.2.0-8.2.2
CVE-2020-11984	Oracle Communications Session Report Manager	Core (Apache HTTP Server)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.2.0-8.2.2
CVE-2020-11984	Oracle Communications Session Route Manager	Core (Apache HTTP Server)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.2.0-8.2.2
CVE-2019-13990	Oracle Communications Session Route Manager	Core (Quartz Scheduler)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.2.0-8.2.2
CVE-2019-17638	Oracle Communications Application Session Controller	WS and WEB (Eclipse Jetty)	HTTP	Yes	9.4	Network	Low	None	None	Un- changed	High	High	Low	3.9m0p1
CVE-2019-17638	Oracle Communications Element Manager	Core (Eclipse Jetty)	HTTP	Yes	9.4	Network	Low	None	None	Un- changed	High	High	Low	8.2.0-8.2.2
CVE-2019-17638	Oracle Communications Session Report Manager	Core (Eclipse Jetty)	HTTP	Yes	9.4	Network	Low	None	None	Un- changed	High	High	Low	8.2.0-8.2.2
CVE-2019-17638	Oracle Communications Session Route Manager	Core (Eclipse Jetty)	HTTP	Yes	9.4	Network	Low	None	None	Un- changed	High	High	Low	8.2.0-8.2.2
CVE-2020-14195	Oracle Communications Diameter Signaling Router (DSR)	IDIH (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	IDIH: 8.0.0-8.2.2
CVE-2020-14195	Oracle Communications Element Manager	Core (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	8.2.0-8.2.2
CVE-2020-14195	Oracle Communications Evolved Communications Application Server	Universal Data Record (jackson-databind)	XCAP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	7.1
CVE-2020-14195	Oracle Communications Session Report Manager	Core (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	8.2.0-8.2.2
CVE-2020-14195	Oracle Communications Session Route Manager	Core (jackson-databind)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	8.2.0-8.2.2
CVE-2020-5398	Oracle Communications Diameter Signaling Router (DSR)	IDIH (Spring Framework)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	IDIH: 8.0.0-8.2.2
CVE-2019-17359	Oracle Communications Diameter Signaling Router (DSR)	IDIH (Bouncy Castle Java Library)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	IDIH: 8.0.0-8.2.2
CVE-2019-12402	Oracle Communications Element Manager	Core (Apache Commons Compress)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.2.0-8.2.2
CVE-2020-11080	Oracle Communications Session Border Controller	System (http2)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.3, 8.4
CVE-2019-12402	Oracle Communications Session Report Manager	Core (Apache Commons Compress)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.2.0-8.2.2
CVE-2019-12402	Oracle Communications Session Route Manager	Core (Apache Commons Compress)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.2.0-8.2.2
CVE-2019-17359	Oracle Communications Session Route Manager	Core (Bouncy Castle Java Library)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.2.0-8.2.2
CVE-2019-10173	Oracle Communications Diameter Signaling Router (DSR)	IDIH (xstream)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	IDIH: 8.0.0-8.2.2
CVE-2020-9484	Oracle Communications Diameter Signaling Router (DSR)	Core (Apache Tomcat)	None	No	7.0	Local	High	Low	None	Un- changed	High	High	High	8.0.0.0-8.4.0.5
CVE-2020-9484	Oracle Communications Element Manager	Core (Apache Tomcat)	None	No	7.0	Local	High	Low	None	Un- changed	High	High	High	8.2.0-8.2.2
CVE-2020-9484	Oracle Communications Session Report Manager	Core (Apache Tomcat)	None	No	7.0	Local	High	Low	None	Un- changed	High	High	High	8.2.0-8.2.2
CVE-2020-9484	Oracle Communications Session Route Manager	Core (Apache Tomcat)	None	No	7.0	Local	High	Low	None	Un- changed	High	High	High	8.2.0-8.2.2
CVE-2020-1945	Oracle Communications Diameter Signaling Router (DSR)	IDIH (Apache Ant)	None	No	6.7	Local	High	None	None	Un- changed	High	High	None	IDIH: 8.0.0-8.2.2
CVE-2020-10722	Oracle Communications Session Border Controller	Platform (DPDK)	None	No	6.7	Local	Low	High	None	Un- changed	High	High	High	8.2-8.4
CVE-2020-5408	Oracle Communications Element Manager	Core (Spring Security)	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	8.2.0-8.2.2
CVE-2020-5408	Oracle Communications Session Report Manager	Core (Spring Security)	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	8.2.0-8.2.2
CVE-2020-5408	Oracle Communications Session Route Manager	Core (Spring Security)	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	8.2.0-8.2.2
CVE-2020-11022	Oracle Communications Application Session Controller	Core (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	3.8m0
CVE-2020-1941	Oracle Communications Diameter Signaling Router (DSR)	IDIH (Apache ActiveMQ)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	IDIH: 8.0.0-8.2.2
CVE-2020-11022	Oracle Communications Diameter Signaling Router (DSR)	IDIH (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	IDIH: 8.0.0-8.2.2
CVE-2019-17091	Oracle Communications Diameter Signaling Router (DSR)	Platform (Eclipse Mojarra)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.0.0-8.4.0.5
CVE-2020-14788	Oracle Communications Diameter Signaling Router (DSR)	User Interface	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.0.0-8.4.0.5
CVE-2020-11022	Oracle Communications WebRTC Session Controller	ME (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	7.2
CVE-2020-11022	Oracle Enterprise Session Border Controller	Core (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.4
CVE-2019-12415	Oracle Communications Diameter Signaling Router (DSR)	IDIH (Apache POI)	None	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	IDIH: 8.0.0-8.2.2
CVE-2020-14787	Oracle Communications Diameter Signaling Router (DSR)	User Interface	HTTP	No	5.4	Network	Low	Low	Required	Changed	Low	Low	None	8.0.0.0-8.4.0.5
CVE-2019-11048	Oracle Communications Diameter Signaling Router (DSR)	Core (PHP)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	8.0.0.0-8.4.0.5
CVE-2020-1954	Oracle Communications Diameter Signaling Router (DSR)	IDIH (Apache CXF)	HTTP	Yes	5.3	Adjacent Network	High	None	None	Un- changed	High	None	None	IDIH: 8.0.0-8.2.2
CVE-2020-1954	Oracle Communications Element Manager	Core (Apache CXF)	HTTP	Yes	5.3	Adjacent Network	High	None	None	Un- changed	High	None	None	8.2.0-8.2.2
CVE-2020-1954	Oracle Communications Session Report Manager	Core (Apache CXF)	HTTP	Yes	5.3	Adjacent Network	High	None	None	Un- changed	High	None	None	8.2.0-8.2.2
CVE-2020-1954	Oracle Communications Session Route Manager	Core (Apache CXF)	HTTP	Yes	5.3	Adjacent Network	High	None	None	Un- changed	High	None	None	8.2.0-8.2.2
CVE-2020-9488	Oracle Communications Application Session Controller	WS and WEB (Apache Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	3.9m0p1
CVE-2020-9488	Oracle Communications Services Gatekeeper	Media Control UI (Apache Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	7

Additional CVEs addressed are:

The patch for CVE-2019-11048 also addresses CVE-2020-7067
The patch for CVE-2019-12260 also addresses CVE-2019-12261
The patch for CVE-2019-13990 also addresses CVE-2019-5427
The patch for CVE-2019-17638 also addresses CVE-2019-17632
The patch for CVE-2020-10722 also addresses CVE-2020-10723 and CVE-2020-10724
The patch for CVE-2020-11022 also addresses CVE-2020-11023
The patch for CVE-2020-11080 also addresses CVE-2019-5436, CVE-2019-5481, CVE-2019-5482, CVE-2019-9511 and CVE-2019-9513
The patch for CVE-2020-11973 also addresses CVE-2020-11971 and CVE-2020-11972
The patch for CVE-2020-11984 also addresses CVE-2020-11993 and CVE-2020-9490
The patch for CVE-2020-14195 also addresses CVE-2020-10650, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-14060, CVE-2020-14061, CVE-2020-14062, CVE-2020-9546, CVE-2020-9547 and CVE-2020-9548
The patch for CVE-2020-1941 also addresses CVE-2020-13920
The patch for CVE-2020-1945 also addresses CVE-2017-5645
The patch for CVE-2020-1954 also addresses CVE-2019-12423
The patch for CVE-2020-5398 also addresses CVE-2020-5397
The patch for CVE-2020-5408 also addresses CVE-2020-5407

Oracle Construction and Engineering Risk Matrix

This Critical Patch Update contains 9 new security patches for Oracle Construction and Engineering. 7 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-11984	Instantis EnterpriseTrack	Core (Apache HTTP Server)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	17.1, 17.2, 17.3
CVE-2019-17495	Primavera Gateway	Admin (Swagger UI)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	16.2.0-16.2.11, 17.12.0-17.12.8
CVE-2015-1832	Primavera Unifier	Platform (Apache Derby)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	None	High	16.1, 16.2, 17.7-17.12, 18.8, 19.12
CVE-2017-9096	Primavera Unifier	Platform (iText)	HTTP	Yes	8.8	Network	Low	None	Required	Un- changed	High	High	High	16.1, 16.2, 17.7-17.12, 18.8, 19.12
CVE-2020-13935	Instantis EnterpriseTrack	Core (Apache Tomcat)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	17.1, 17.2, 17.3
CVE-2019-17558	Primavera Unifier	Platform (Apache Solr)	HTTP	No	7.5	Network	High	Low	None	Un- changed	High	High	High	16.1, 16.2, 17.7-17.12, 18.8, 19.12
CVE-2018-17196	Primavera Unifier	Core (Apache Kafka)	HTTP	Yes	7.0	Network	High	None	None	Un- changed	High	Low	Low	18.8, 19.12
CVE-2020-9489	Primavera Unifier	Platform (Apache Tika)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	16.1, 16.2, 17.7-17.12, 18.8, 19.12
CVE-2020-9488	Primavera Unifier	Core (Apache Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	18.8, 19.12

Additional CVEs addressed are:

The patch for CVE-2020-11984 also addresses CVE-2020-11993 and CVE-2020-9490
The patch for CVE-2020-13935 also addresses CVE-2020-13934

Oracle E-Business Suite Risk Matrix

This Critical Patch Update contains 27 new security patches for Oracle E-Business Suite. 25 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security updates are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle recommends that customers apply the October 2020 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Release 12 Critical Patch Update Knowledge Document (October 2020), My Oracle Support Note 2707309.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-14855	Oracle Universal Work Queue	Work Provider Administration	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.1.3
CVE-2020-14805	Oracle E-Business Suite Secure Enterprise Search	Search Integration Engine	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	12.1.3, 12.2.3 - 12.2.10
CVE-2020-14875	Oracle Marketing	Marketing Administration	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	12.1.1 - 12.1.3, 12.2.3 - 12.2.10
CVE-2020-14876	Oracle Trade Management	User Interface	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	12.1.1 - 12.1.3, 12.2.3 - 12.2.10
CVE-2020-14862	Oracle Universal Work Queue	Internal Operations	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	12.2.3 - 12.2.9
CVE-2020-14850	Oracle CRM Technical Foundation	Flex Fields	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.3, 12.2.3 - 12.2.10
CVE-2020-14816	Oracle Marketing	Marketing Administration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1 - 12.1.3, 12.2.3 - 12.2.10
CVE-2020-14817	Oracle Marketing	Marketing Administration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1 - 12.1.3, 12.2.3 - 12.2.10
CVE-2020-14831	Oracle Marketing	Marketing Administration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1 - 12.1.3, 12.2.3 - 12.2.10
CVE-2020-14835	Oracle Marketing	Marketing Administration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1 - 12.1.3
CVE-2020-14849	Oracle Marketing	Marketing Administration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1 - 12.1.3, 12.2.3 - 12.2.10
CVE-2020-14819	Oracle One-to-One Fulfillment	Print Server	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.3
CVE-2020-14863	Oracle One-to-One Fulfillment	Print Server	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1 - 12.1.3
CVE-2020-14808	Oracle Trade Management	User Interface	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.3, 12.2.3 - 12.2.10
CVE-2020-14833	Oracle Trade Management	User Interface	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1 - 12.1.3, 12.2.3 - 12.2.10
CVE-2020-14834	Oracle Trade Management	User Interface	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1 - 12.1.3, 12.2.3 - 12.2.10
CVE-2020-14851	Oracle Trade Management	User Interface	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1 - 12.1.3, 12.2.3 - 12.2.10
CVE-2020-14856	Oracle Trade Management	User Interface	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1 - 12.1.3, 12.2.3 - 12.2.10
CVE-2020-14857	Oracle Trade Management	User Interface	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1 - 12.1.3, 12.2.3 - 12.2.10
CVE-2020-14774	Oracle CRM Technical Foundation	Preferences	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.1.1 - 12.1.3, 12.2.3 - 12.2.10
CVE-2020-14761	Oracle Applications Manager	Oracle Diagnostics Interfaces	HTTP	Yes	6.5	Network	Low	None	None	Un- changed	Low	Low	None	12.1.3, 12.2.3 - 12.2.7
CVE-2020-14823	Oracle CRM Technical Foundation	Preferences	HTTP	No	6.5	Network	Low	High	None	Un- changed	High	High	None	12.2.3 - 12.2.10
CVE-2020-14811	Oracle Applications Manager	AMP EBS Integration	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.1.3, 12.2.3 - 12.2.10
CVE-2020-14826	Oracle Applications Manager	SQL Extensions	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.1.3, 12.2.3 - 12.2.10
CVE-2020-14840	Oracle Application Object Library	Diagnostics	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.3, 12.2.3 - 12.2.10
CVE-2020-14746	Oracle Applications Framework	Popup windows	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.3, 12.2.3 - 12.2.10
CVE-2020-14822	Oracle Installed Base	APIs	HTTP	Yes	4.7	Network	Low	None	Required	Changed	None	Low	None	12.1.1 - 12.1.3, 12.2.3 - 12.2.10

Oracle Enterprise Manager Risk Matrix

This Critical Patch Update contains 11 new security patches for Oracle Enterprise Manager. 10 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these patches are applicable to client-only installations, i.e., installations that do not have Oracle Enterprise Manager installed. The English text form of this Risk Matrix can be found here.

Oracle Enterprise Manager products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle Enterprise Manager products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security updates are not listed in the Oracle Enterprise Manager risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle Enterprise Manager products, Oracle recommends that customers apply the October 2020 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Enterprise Manager. For information on what patches need to be applied to your environments, refer to Critical Patch Update October 2020 Patch Availability Document for Oracle Products, My Oracle Support Note 2694898.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-13990	Enterprise Manager Ops Center	Agent Provisioning (Quartz Scheduler)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.4.0.0
CVE-2018-11058	Oracle Application Testing Suite	Load Testing for Web Apps (RSA BSAFE Crypto-C)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	13.3.0.1
CVE-2019-17638	Oracle Application Testing Suite	Load Testing for Web Apps (Eclipse Jetty)	HTTP	Yes	9.4	Network	Low	None	None	Un- changed	High	High	Low	13.3.0.1
CVE-2020-5398	Enterprise Manager Base Platform	Connector Framework (Spring Framework)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	13.2.1.0
CVE-2020-1967	Enterprise Manager for Storage Management	Privilege Management (OpenSSL)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	13.3.0.0, 13.4.0.0
CVE-2020-5398	Oracle Application Testing Suite	Load Testing for Web Apps (Spring Framework)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	13.3.0.1
CVE-2019-3740	Application Performance Management (APM)	Comp Management and Life Cycle Management (RSA BSAFE Crypto-J)	HTTPS	Yes	6.5	Network	Low	None	Required	Un- changed	High	None	None	13.3.0.0, 13.4.0.0
CVE-2019-2897	Enterprise Manager Base Platform	Event Management	HTTP	No	6.4	Network	Low	Low	None	Changed	Low	Low	None	13.3.0.0, 13.4.0.0
CVE-2020-11022	Enterprise Manager Ops Center	Reports in Ops Center (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.4.0.0
CVE-2020-1954	Enterprise Manager Base Platform	Connector Framework (Apache CXF)	HTTP	Yes	5.3	Adjacent Network	High	None	None	Un- changed	High	None	None	13.2.1.0
CVE-2020-9488	Enterprise Manager for Peoplesoft	PSEM Plugin (Apache Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	13.4.1.1

Additional CVEs addressed are:

The patch for CVE-2018-11058 also addresses CVE-2016-0701, CVE-2016-2183, CVE-2016-6306, CVE-2016-8610, CVE-2018-11054, CVE-2018-11055, CVE-2018-11056, CVE-2018-11057 and CVE-2018-15769
The patch for CVE-2019-13990 also addresses CVE-2019-5427
The patch for CVE-2019-17638 also addresses CVE-2019-17632
The patch for CVE-2019-3740 also addresses CVE-2019-3738 and CVE-2019-3739
The patch for CVE-2020-1954 also addresses CVE-2019-12419
The patch for CVE-2020-5398 also addresses CVE-2020-5397

Oracle Financial Services Applications Risk Matrix

This Critical Patch Update contains 53 new security patches for Oracle Financial Services Applications. 49 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-17495	Oracle Banking Platform	Collections (Swagger UI)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	2.4.0-2.10.0
CVE-2020-10683	Oracle Banking Platform	Collections (dom4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	2.4.0-2.10.0
CVE-2019-10173	Oracle Banking Platform	Collections (xstream)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	2.4.0-2.10.0
CVE-2020-10683	Oracle Financial Services Analytical Applications Infrastructure	Infrastructure (dom4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.6-8.1.0
CVE-2020-9546	Oracle Financial Services Analytical Applications Infrastructure	Infrastructure (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.6-8.1.0
CVE-2020-9546	Oracle Financial Services Institutional Performance Analytics	User Interface (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.6, 8.7.0, 8.1.0
CVE-2020-9546	Oracle Financial Services Price Creation and Discovery	User Interface (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.6, 8.0.7
CVE-2017-5645	Oracle Financial Services Regulatory Reporting with AgileREPORTER	Core (Apache Ant)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.9.2.0
CVE-2020-9546	Oracle Financial Services Retail Customer Analytics	User Interface (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.0.6
CVE-2020-11973	Oracle FLEXCUBE Private Banking	Core (Apache Camel)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.0.0, 12.1.0
CVE-2020-14824	Oracle Financial Services Analytical Applications Infrastructure	Infrastructure	HTTP	Yes	8.6	Network	Low	None	None	Changed	None	None	High	8.0.6-8.1.0
CVE-2020-14195	Oracle Banking Digital Experience	Framework (jackson-databind)	HTTPS	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	18.1, 18.2, 18.3, 19.1, 19.2, 20.1
CVE-2020-5398	Oracle Financial Services Regulatory Reporting with AgileREPORTER	Core (Spring Framework)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	8.0.9.2.0
CVE-2020-5398	Oracle FLEXCUBE Private Banking	Core (Spring Framework)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	12.0.0, 12.1.0
CVE-2020-14894	Oracle Banking Corporate Lending	Core	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	12.3.0, 14.0.0-14.4.0
CVE-2020-14896	Oracle Banking Payments	Core	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	14.1.0-14.4.0
CVE-2020-14890	Oracle FLEXCUBE Direct Banking	Pre Login	HTTP	Yes	6.5	Network	Low	None	Required	Un- changed	High	None	None	12.0.1, 12.0.2, 12.0.3
CVE-2020-14897	Oracle FLEXCUBE Direct Banking	Pre Login	HTTP	Yes	6.5	Network	Low	None	Required	Un- changed	High	None	None	12.0.1, 12.0.2, 12.0.3
CVE-2020-14887	Oracle FLEXCUBE Universal Banking	Infrastructure	HTTP	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	12.3.0, 14.0.0-14.4.0
CVE-2020-11022	Oracle Banking Digital Experience	Framework (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	18.1, 18.2, 18.3, 19.1, 19.2, 20.1
CVE-2020-11022	Oracle Financial Services Analytical Applications Infrastructure	Infrastructure (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.6-8.1.0
CVE-2020-11022	Oracle Financial Services Analytical Applications Reconciliation Framework	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.6-8.0.8, 8.1.0
CVE-2020-11022	Oracle Financial Services Asset Liability Management	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.6, 8.0.7, 8.1.0
CVE-2020-11022	Oracle Financial Services Balance Sheet Planning	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.8
CVE-2020-11022	Oracle Financial Services Basel Regulatory Capital Basic	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.6-8.0.8, 8.1.0
CVE-2020-11022	Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.6-8.0.8, 8.1.0
CVE-2020-11022	Oracle Financial Services Data Foundation	Infrastructure (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.6-8.1.0
CVE-2020-11022	Oracle Financial Services Data Governance for US Regulatory Reporting	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.6-8.0.9
CVE-2020-11022	Oracle Financial Services Data Integration Hub	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.6, 8.0.7, 8.1.0
CVE-2020-11022	Oracle Financial Services Funds Transfer Pricing	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.6, 8.0.7, 8.1.0
CVE-2020-11022	Oracle Financial Services Hedge Management and IFRS Valuations	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.6-8.0.8, 8.1.0
CVE-2020-11022	Oracle Financial Services Institutional Performance Analytics	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.6, 8.0.7, 8.1.0
CVE-2020-11022	Oracle Financial Services Liquidity Risk Management	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.6
CVE-2020-11022	Oracle Financial Services Liquidity Risk Measurement and Management	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.7, 8.0.8, 8.1.0
CVE-2020-11022	Oracle Financial Services Loan Loss Forecasting and Provisioning	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.6-8.0.8, 8.1.0
CVE-2020-11022	Oracle Financial Services Market Risk Measurement and Management	Infrastructure (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.6, 8.0.8
CVE-2020-11022	Oracle Financial Services Price Creation and Discovery	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.6, 8.0.7
CVE-2020-11022	Oracle Financial Services Profitability Management	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.6, 8.0.7, 8.1.0
CVE-2020-11022	Oracle Financial Services Regulatory Reporting for European Banking Authority	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.6-8.1.0
CVE-2020-11022	Oracle Financial Services Regulatory Reporting for US Federal Reserve	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.6-8.0.9
CVE-2020-1941	Oracle FLEXCUBE Private Banking	Core (Apache ActiveMQ)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.0.0, 12.1.0
CVE-2020-11022	Oracle Insurance Accounting Analyzer	IFRS17 (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.9
CVE-2020-11022	Oracle Insurance Allocation Manager for Enterprise Profitability	User Interface (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.8, 8.1.0
CVE-2020-11022	Oracle Insurance Data Foundation	Infrastructure (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.0.6-8.1.0
CVE-2020-1951	Oracle FLEXCUBE Private Banking	Core (Apache Tika)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	12.0.0, 12.1.0
CVE-2019-10247	Oracle FLEXCUBE Core Banking	Core (Eclipse Jetty)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	5.2.0, 11.5.0-11.7.0
CVE-2020-9488	Oracle Financial Services Analytical Applications Infrastructure	Infrastructure (Apache Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	8.0.6-8.1.0
CVE-2020-9488	Oracle Financial Services Institutional Performance Analytics	User Interface (Apache Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	8.0.6, 8.7.0, 8.1.0
CVE-2020-9488	Oracle Financial Services Market Risk Measurement and Management	Infrastructure (Apache log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	8.0.6, 8.0.8, 8.1.0
CVE-2020-9488	Oracle Financial Services Price Creation and Discovery	User Interface (Apache Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	8.0.6, 8.0.7
CVE-2020-9488	Oracle Financial Services Retail Customer Analytics	User Interface (Apache Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	8.0.6
CVE-2020-9488	Oracle FLEXCUBE Core Banking	Core (Apache Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	5.2.0, 11.5.0-11.7.0
CVE-2020-9488	Oracle FLEXCUBE Private Banking	Core (Apache Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	12.0.0, 12.1.0

Additional CVEs addressed are:

The patch for CVE-2019-10173 also addresses CVE-2013-7285
The patch for CVE-2019-10247 also addresses CVE-2019-10246
The patch for CVE-2020-11022 also addresses CVE-2020-11023
The patch for CVE-2020-11973 also addresses CVE-2020-11971 and CVE-2020-11972
The patch for CVE-2020-14195 also addresses CVE-2020-14060, CVE-2020-14061 and CVE-2020-14062
The patch for CVE-2020-1941 also addresses CVE-2020-13920
The patch for CVE-2020-1951 also addresses CVE-2020-1950
The patch for CVE-2020-5398 also addresses CVE-2020-5397
The patch for CVE-2020-9546 also addresses CVE-2020-10650, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-9547 and CVE-2020-9548

Oracle Food and Beverage Applications Risk Matrix

This Critical Patch Update contains 4 new security patches for Oracle Food and Beverage Applications. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-11022	Oracle Hospitality Materials Control	Mobile Authorization (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	18.1
CVE-2020-11022	Oracle Hospitality Simphony	Simphony Apps (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	18.1, 18.2, 19.1.0-19.1.2
CVE-2020-14753	Oracle Hospitality Reporting and Analytics	Installation	None	No	5.9	Local	Low	Low	Required	Changed	High	None	None	9.1.0
CVE-2020-14783	Oracle Hospitality RES 3700	CAL	TCP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	5.7

Additional CVEs addressed are:

The patch for CVE-2020-11022 also addresses CVE-2020-11023

Oracle Fusion Middleware Risk Matrix

This Critical Patch Update contains 46 new security patches for Oracle Fusion Middleware. 36 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security updates are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle recommends that customers apply the Critical Patch Update October 2020 to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update October 2020 Patch Availability Document for Oracle Products, My Oracle Support Note 2694898.1.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2017-5645	Identity Manager Connector	General and Misc (Apache Log4j)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	9.0
CVE-2018-11058	Oracle Access Manager	Web Server Plugin (RSA BSafe)	HTTPS	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.1.2.3.0
CVE-2017-9800	Oracle Data Integrator	Install, config, upgrade (Apache HTTP Server)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.3.0
CVE-2020-10683	Oracle Endeca Information Discovery Integrator	Integrator ETL (dom4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	3.2.0
CVE-2019-10173	Oracle Endeca Information Discovery Studio	Endeca Server (xstream)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	3.2.0
CVE-2019-2904	Oracle Enterprise Repository	Security Subsystem - 12c (Application Development Framework)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.1.1.7.0
CVE-2018-8088	Oracle GoldenGate Application Adapters	Application Adapters (SLF4J)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.3.2.1.0
CVE-2019-17531	Oracle GoldenGate Application Adapters	Build Request (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	19.1.0.0.0
CVE-2018-11058	Oracle GoldenGate Application Adapters	Security Service (RSA BSAFE)	HTTPS	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.3.2.1.0
CVE-2019-5482	Oracle HTTP Server	Web Listener (cURL)	TFTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.3.0, 12.2.1.4.0
CVE-2020-10683	Oracle WebCenter Portal	Portlet Services (dom4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.3.0, 12.2.1.4.0
CVE-2020-2555	Oracle WebCenter Portal	Security Framework (Oracle Coherence)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.3.0, 12.2.1.4.0
CVE-2019-10173	Oracle WebCenter Portal	Security Framework (xstream)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.1.1.9.0, 12.2.1.3.0
CVE-2019-17267	Oracle WebLogic Server	Centralized Thirdparty Jars (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.3.0
CVE-2020-14882	Oracle WebLogic Server	Console	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2020-14841	Oracle WebLogic Server	Core	IIOP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2020-14825	Oracle WebLogic Server	Core	IIOP, T3	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2020-14859	Oracle WebLogic Server	Core	IIOP, T3	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2020-14879	BI Publisher	E-Business Suite - XDO	HTTP	No	8.5	Network	Low	Low	None	Changed	High	Low	None	5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-14880	BI Publisher	E-Business Suite - XDO	HTTP	No	8.5	Network	Low	Low	None	Changed	High	Low	None	5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-14842	BI Publisher	BI Publisher Security	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-14784	Oracle BI Publisher	Mobile Service	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-14815	Oracle Business Intelligence Enterprise Edition	Analytics Actions	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	5.5.0.0.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2016-2510	Oracle Data Integrator	Jave APIs (BeanShell)	HTTP	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	11.1.1.9.0, 12.2.1.3.0
CVE-2020-3235	Management Pack for Oracle GoldenGate	Monitor (SNMP)	SNMP	No	7.7	Network	Low	Low	None	Changed	None	None	High	12.2.1.2.0
CVE-2020-14864	Oracle Business Intelligence Enterprise Edition	Installation	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	5.5.0.0.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-1967	Oracle HTTP Server	SSL Module (OpenSSL)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	12.2.1.4.0
CVE-2020-14820	Oracle WebLogic Server	Core	IIOP, T3	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2019-10097	Oracle HTTP Server	Core (Apache HTTP Server)	HTTP	No	7.2	Network	Low	High	None	Un- changed	High	High	High	12.2.1.4.0
CVE-2020-14883	Oracle WebLogic Server	Console	HTTP	No	7.2	Network	Low	High	None	Un- changed	High	High	High	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2020-14780	BI Publisher	BI Publisher Security	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	High	Low	None	5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-14843	Oracle Business Intelligence Enterprise Edition	Analytics Actions	HTTP	Yes	7.1	Network	Low	None	Required	Changed	Low	Low	Low	5.5.0.0.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-14766	Oracle Business Intelligence Enterprise Edition	Analytics Web Administration	HTTP	No	7.1	Network	Low	Low	None	Un- changed	High	Low	None	5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-9484	Oracle Managed File Transfer	MFT Runtime Server (Apache Tomcat)	None	No	7.0	Local	High	Low	None	Un- changed	High	High	High	12.2.1.3.0, 12.2.1.4.0
CVE-2020-14757	Oracle WebLogic Server	Web Services	HTTP	Yes	6.8	Network	High	None	Required	Un- changed	High	High	None	12.2.1.3.0
CVE-2020-15389	Oracle Outside In Technology	Installation (OpenJPEG)	HTTP	Yes	6.5	Network	High	None	None	Un- changed	Low	None	High	8.5.5, 8.5.4	See Note 1
CVE-2020-1945	Oracle Business Process Management Suite	Runtime Engine (Apache Ant)	None	No	6.3	Local	High	Low	None	Un- changed	High	High	None	12.2.1.3.0, 12.2.1.4.0
CVE-2019-11358	BI Publisher	BI Publisher Security (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	5.5.0.0.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2019-11358	Oracle Business Process Management Suite	Runtime Engine (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.2.1.3.0, 12.2.1.4.0
CVE-2019-2904	Oracle Business Process Management Suite	Runtime Engine (Application Development Framework)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.2.1.3.0, 12.2.1.4.0
CVE-2020-11022	Oracle JDeveloper	ADF Faces (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-9281	Oracle WebCenter Portal	Blogs and Wikis (CKEditor)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-11022	Oracle WebLogic Server	Console (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2020-1951	Oracle Business Process Management Suite	Document Service (Apache Tika)	None	No	5.5	Local	Low	None	Required	Un- changed	None	None	High	12.2.1.3.0, 12.2.1.4.0
CVE-2020-13631	Oracle Outside In Technology	Installation (SQLite)	None	No	5.5	Local	Low	Low	None	Un- changed	None	High	None	8.5.5, 8.5.4	See Note 1
CVE-2020-9488	Oracle WebLogic Server	Core (Apache Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	10.3.6.0.0

Notes:

Outside In Technology is a suite of software development kits (SDKs). The protocol and CVSS score depend on the software that uses the Outside In Technology code. The CVSS score assumes that the software passes data received over a network directly to Outside In Technology code, but if data is not received over a network the CVSS score may be lower.

Additional CVEs addressed are:

The patch for CVE-2017-9800 also addresses CVE-2016-2167, CVE-2016-2168 and CVE-2016-8734
The patch for CVE-2018-11058 also addresses CVE-2016-0701, CVE-2016-2183, CVE-2016-6306, CVE-2016-8610, CVE-2018-11054, CVE-2018-11055, CVE-2018-11056, CVE-2018-11057 and CVE-2018-15769
The patch for CVE-2019-17267 also addresses CVE-2019-14540, CVE-2019-16335, CVE-2019-16942 and CVE-2019-16943
The patch for CVE-2019-17531 also addresses CVE-2019-16943, CVE-2019-17267 and CVE-2019-20330
The patch for CVE-2019-5482 also addresses CVE-2019-5435, CVE-2019-5436, CVE-2019-5443 and CVE-2019-5481
The patch for CVE-2020-11022 also addresses CVE-2020-11023
The patch for CVE-2020-13631 also addresses CVE-2020-11655, CVE-2020-11656, CVE-2020-13630, CVE-2020-13632, CVE-2020-15358 and CVE-2020-9327
The patch for CVE-2020-1951 also addresses CVE-2020-1950

Oracle GraalVM Risk Matrix

This Critical Patch Update contains 1 new security patch for Oracle GraalVM. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-14803	Oracle GraalVM Enterprise Edition	Java	Multiple	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	19.3.3, 20.2.0

Oracle Health Sciences Applications Risk Matrix

This Critical Patch Update contains 4 new security patches for Oracle Health Sciences Applications. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-1953	Oracle Healthcare Foundation	Self Service Analytics (Apache Commons Configuration)	HTTP	Yes	10.0	Network	Low	None	None	Changed	High	High	High	7.1.1, 7.2.0, 7.2.1, 7.3.0
CVE-2020-10683	Oracle Health Sciences Empirica Signal	User Interface (dom4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	9.0
CVE-2020-2555	Oracle Healthcare Data Repository	Database Module (Oracle Coherence)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	7.0.1
CVE-2020-11022	Oracle Healthcare Foundation	Admin Console (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	7.1.1, 7.2.0, 7.2.1, 7.3.0

Additional CVEs addressed are:

The patch for CVE-2020-11022 also addresses CVE-2020-11023

Oracle Hospitality Applications Risk Matrix

This Critical Patch Update contains 6 new security patches for Oracle Hospitality Applications. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-17638	Oracle Hospitality Guest Access	Base (Eclipse Jetty)	HTTP	Yes	9.4	Network	Low	None	None	Un- changed	High	High	Low	4.2.0, 4.2.1
CVE-2020-14807	Oracle Hospitality Suite8	WebConnect	HTTP	Yes	7.1	Network	Low	None	Required	Un- changed	High	Low	None	8.10.2, 8.11-8.14
CVE-2020-9484	Oracle Hospitality Guest Access	Base (Apache Tomcat)	None	No	7.0	Local	High	Low	None	Un- changed	High	High	High	4.2.0, 4.2.1
CVE-2020-14858	Oracle Hospitality OPERA 5 Property Services	Logging	HTTP	No	6.8	Network	Low	High	Required	Un- changed	High	High	High	5.5, 5.6
CVE-2020-14877	Oracle Hospitality OPERA 5 Property Services	Logging	HTTP	No	6.5	Network	Low	High	None	Un- changed	High	High	None	5.5, 5.6
CVE-2020-14810	Oracle Hospitality Suite8	WebConnect	HTTP	Yes	5.4	Network	Low	None	Required	Un- changed	Low	Low	None	8.10.2, 8.11-8.14

Additional CVEs addressed are:

The patch for CVE-2019-17638 also addresses CVE-2019-17632

Oracle Hyperion Risk Matrix

This Critical Patch Update contains 9 new security patches for Oracle Hyperion. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-5482	Hyperion Essbase	Security and Provisioning (cURL)	TFTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.1.2.4
CVE-2020-14854	Hyperion Infrastructure Technology	UI and Visualization	HTTP	No	6.1	Network	Low	High	Required	Un- changed	High	High	None	11.1.2.4
CVE-2019-1547	Hyperion Essbase	Security and Provisioning (OpenSSL)	None	No	4.7	Local	High	Low	None	Un- changed	High	None	None	11.1.2.4
CVE-2020-14768	Hyperion Analytic Provider Services	Smart View Provider	HTTP	No	4.3	Adjacent Network	High	Low	Required	Un- changed	Low	Low	Low	11.1.2.4
CVE-2020-14767	Hyperion BI+	IQR-Foundation service	Multiple	No	4.2	Network	High	High	Required	Un- changed	High	None	None	11.1.2.4
CVE-2020-14752	Hyperion Lifecycle Management	Shared Services	HTTP	No	4.2	Network	High	High	Required	Un- changed	None	High	None	11.1.2.4
CVE-2020-14772	Hyperion Lifecycle Management	Shared Services	HTTP	No	4.2	Network	High	High	Required	Un- changed	None	High	None	11.1.2.4
CVE-2020-14764	Hyperion Planning	Application Development Framework	HTTP	No	4.2	Network	High	High	Required	Un- changed	None	High	None	11.1.2.4
CVE-2020-14770	Hyperion BI+	IQR-Foundation service	Multiple	No	2.0	Network	High	High	Required	Un- changed	Low	None	None	11.1.2.4

Additional CVEs addressed are:

The patch for CVE-2019-1547 also addresses CVE-2019-1549, CVE-2019-1552 and CVE-2019-1563
The patch for CVE-2019-5482 also addresses CVE-2019-5481

Oracle Insurance Applications Risk Matrix

This Critical Patch Update contains 6 new security patches for Oracle Insurance Applications. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-9546	Oracle Insurance Policy Administration J2EE	Architecture (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	11.0.2.25, 11.1.0.15
CVE-2020-5398	Oracle Insurance Policy Administration J2EE	Admin Console (Spring Framework)	HTTP	Yes	7.5	Network	High	None	Required	Un- changed	High	High	High	11.2.2.0
CVE-2020-11022	Oracle Insurance Insbridge Rating and Underwriting	Framework Administrator IBFA (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	5.0.0.0 - 5.6.0.0, 5.6.1.0
CVE-2020-9488	Oracle Insurance Insbridge Rating and Underwriting	Framework Administrator IBFA (Apache Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	5.0.0.0 - 5.6.0.0, 5.6.1.0
CVE-2020-9488	Oracle Insurance Policy Administration J2EE	Architecture (Apache Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	10.2.0.37, 10.2.4.12, 11.0.2.25, 11.1.0.15, 11.2.0.26
CVE-2020-9488	Oracle Insurance Rules Palette	Architecture (Apache Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	10.2.0.37, 10.2.4.12, 11.0.2.25, 11.1.0.15, 11.2.0.26

Additional CVEs addressed are:

The patch for CVE-2020-11022 also addresses CVE-2019-11358 and CVE-2020-11023
The patch for CVE-2020-9546 also addresses CVE-2020-10650, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-9547 and CVE-2020-9548

Oracle Java SE Risk Matrix

This Critical Patch Update contains 8 new security patches for Oracle Java SE. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-14803	Java SE	Libraries	Multiple	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	Java SE: 11.0.8, 15	See Note 1
CVE-2020-14792	Java SE, Java SE Embedded	Hotspot	Multiple	Yes	4.2	Network	High	None	Required	Un- changed	Low	Low	None	Java SE: 7u271, 8u261, 11.0.8, 15; Java SE Embedded: 8u261	See Note 2
CVE-2020-14781	Java SE, Java SE Embedded	JNDI	Multiple	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	Java SE: 7u271, 8u261, 11.0.8, 15; Java SE Embedded: 8u261	See Note 2
CVE-2020-14782	Java SE, Java SE Embedded	Libraries	Multiple	Yes	3.7	Network	High	None	None	Un- changed	None	Low	None	Java SE: 7u271, 8u261, 11.0.8, 15; Java SE Embedded: 8u261	See Note 2
CVE-2020-14797	Java SE, Java SE Embedded	Libraries	Multiple	Yes	3.7	Network	High	None	None	Un- changed	None	Low	None	Java SE: 7u271, 8u261, 11.0.8, 15; Java SE Embedded: 8u261	See Note 2
CVE-2020-14779	Java SE, Java SE Embedded	Serialization	Multiple	Yes	3.7	Network	High	None	None	Un- changed	None	None	Low	Java SE: 7u271, 8u261, 11.0.8, 15; Java SE Embedded: 8u261	See Note 2
CVE-2020-14796	Java SE, Java SE Embedded	Libraries	Multiple	Yes	3.1	Network	High	None	Required	Un- changed	Low	None	None	Java SE: 7u271, 8u261, 11.0.8, 15; Java SE Embedded: 8u261	See Note 1
CVE-2020-14798	Java SE, Java SE Embedded	Libraries	Multiple	Yes	3.1	Network	High	None	Required	Un- changed	None	Low	None	Java SE: 7u271, 8u261, 11.0.8, 15; Java SE Embedded: 8u261	See Note 1

Notes:

This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.

Oracle MySQL Risk Matrix

This Critical Patch Update contains 53 new security patches plus additional third party patches noted below for Oracle MySQL. 4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-8174	MySQL Cluster	Cluster: JS module (Node.js)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	7.3.30 and prior, 7.4.29 and prior, 7.5.19 and prior, 7.6.15 and prior, 8.0.21 and prior
CVE-2020-14878	MySQL Server	Server: Security: LDAP Auth	MySQL Protocol	No	8.0	Adjacent Network	Low	Low	None	Un- changed	High	High	High	8.0.21 and prior
CVE-2020-13935	MySQL Enterprise Monitor	Monitoring: General (Apache Tomcat)	HTTPS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.0.21 and prior
CVE-2020-1967	MySQL Workbench	Workbench: Security: Encryption (OpenSSL)	MySQL Workbench	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	8.0.21 and prior
CVE-2020-14828	MySQL Server	Server: DML	MySQL Protocol	No	7.2	Network	Low	High	None	Un- changed	High	High	High	8.0.21 and prior
CVE-2020-14775	MySQL Server	InnoDB	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.7.31 and prior, 8.0.21 and prior
CVE-2020-14765	MySQL Server	Server: FTS	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.6.49 and prior, 5.7.31 and prior, 8.0.21 and prior
CVE-2020-14769	MySQL Server	Server: Optimizer	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	5.6.49 and prior, 5.7.31 and prior, 8.0.21 and prior
CVE-2020-14830	MySQL Server	Server: Optimizer	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	8.0.21 and prior
CVE-2020-14836	MySQL Server	Server: Optimizer	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	8.0.21 and prior
CVE-2020-14846	MySQL Server	Server: Optimizer	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	8.0.21 and prior
CVE-2020-14800	MySQL Server	Server: Security: Encryption	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	None	None	High	8.0.21 and prior
CVE-2020-14827	MySQL Server	Server: Security: LDAP Auth	MySQL Protocol	No	6.5	Network	Low	Low	None	Un- changed	High	None	None	5.7.31 and prior, 8.0.21 and prior
CVE-2020-14760	MySQL Server	Server: Optimizer	MySQL Protocol	No	5.5	Network	Low	High	None	Un- changed	None	Low	High	5.7.31 and prior
CVE-2020-1730	MySQL Workbench	MySQL Workbench (libssh)	MySQL Workbench	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	8.0.21 and prior
CVE-2020-14776	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.31 and prior, 8.0.21 and prior
CVE-2020-14821	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.21 and prior
CVE-2020-14829	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.21 and prior
CVE-2020-14848	MySQL Server	InnoDB	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.21 and prior
CVE-2020-14852	MySQL Server	Server: Charsets	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.21 and prior
CVE-2020-14814	MySQL Server	Server: DML	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.21 and prior
CVE-2020-14789	MySQL Server	Server: FTS	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.31 and prior, 8.0.21 and prior
CVE-2020-14804	MySQL Server	Server: FTS	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.21 and prior
CVE-2020-14812	MySQL Server	Server: Locking	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.6.49 and prior, 5.7.31 and prior, 8.0.21 and prior
CVE-2020-14773	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.21 and prior
CVE-2020-14777	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.21 and prior
CVE-2020-14785	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.21 and prior
CVE-2020-14793	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.6.49 and prior, 5.7.31 and prior, 8.0.21 and prior
CVE-2020-14794	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.21 and prior
CVE-2020-14809	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.21 and prior
CVE-2020-14837	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.21 and prior
CVE-2020-14839	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.21 and prior
CVE-2020-14845	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.21 and prior
CVE-2020-14861	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.21 and prior
CVE-2020-14866	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.21 and prior
CVE-2020-14868	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.21 and prior
CVE-2020-14888	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.21 and prior
CVE-2020-14891	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.21 and prior
CVE-2020-14893	MySQL Server	Server: Optimizer	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.21 and prior
CVE-2020-14786	MySQL Server	Server: PS	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.21 and prior
CVE-2020-14790	MySQL Server	Server: PS	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.31 and prior, 8.0.21 and prior
CVE-2020-14844	MySQL Server	Server: PS	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.21 and prior
CVE-2020-14799	MySQL Server	Server: Security: Encryption	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.20 and prior
CVE-2020-14869	MySQL Server	Server: Security: LDAP Auth	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.7.31 and prior, 8.0.21 and prior
CVE-2020-14672	MySQL Server	Server: Stored Procedure	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	5.6.49 and prior, 5.7.31 and prior, 8.0.21 and prior
CVE-2020-14870	MySQL Server	Server: X Plugin	MySQL Protocol	No	4.9	Network	Low	High	None	Un- changed	None	None	High	8.0.21 and prior
CVE-2020-14853	MySQL Cluster	Cluster: NDBCluster Plugin	Multiple	No	4.6	Network	Low	Low	Required	Un- changed	None	Low	Low	8.0.21 and prior
CVE-2020-14867	MySQL Server	Server: DDL	MySQL Protocol	No	4.4	Network	High	High	None	Un- changed	None	None	High	5.6.49 and prior, 5.7.31 and prior, 8.0.21 and prior
CVE-2020-14873	MySQL Server	Server: Logging	MySQL Protocol	No	4.4	Network	High	High	None	Un- changed	None	None	High	8.0.21 and prior
CVE-2020-14838	MySQL Server	Server: Security: Privileges	MySQL Protocol	No	4.3	Network	Low	Low	None	Un- changed	Low	None	None	8.0.21 and prior
CVE-2020-14860	MySQL Server	Server: Security: Roles	MySQL Protocol	No	2.7	Network	Low	High	None	Un- changed	None	Low	None	8.0.21 and prior
CVE-2020-14791	MySQL Server	InnoDB	MySQL Protocol	No	2.2	Network	High	High	None	Un- changed	None	None	Low	8.0.21 and prior
CVE-2020-14771	MySQL Server	Server: Security: LDAP Auth	MySQL Protocol	No	2.2	Network	High	High	None	Un- changed	None	None	Low	5.7.31 and prior, 8.0.21 and prior

Additional CVEs addressed are:

The patch for CVE-2020-13935 also addresses CVE-2020-11996, CVE-2020-13934 and CVE-2020-9484
The patch for CVE-2020-8174 also addresses CVE-2020-11080 and CVE-2020-8172

Additional patches are included in this Critical Patch Update for the following non-exploitable CVEs in this Oracle product family:

MySQL Cluster
- Cluster: Configuration (dojo): CVE-2020-4051

Oracle PeopleSoft Risk Matrix

This Critical Patch Update contains 15 new security patches for Oracle PeopleSoft. 12 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2018-11058	PeopleSoft Enterprise PeopleTools	Weblogic (RSA BSafe)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.56, 8.57, 8.58
CVE-2020-14865	PeopleSoft Enterprise SCM eSupplier Connection	eSupplier Connection	HTTP	No	8.1	Network	Low	Low	None	Un- changed	High	High	None	9.2
CVE-2020-14795	PeopleSoft Enterprise PeopleTools	PIA Core Technology	HTTP	Yes	6.5	Network	Low	None	Required	Un- changed	High	None	None	8.57, 8.58
CVE-2020-14778	PeopleSoft Enterprise HCM Global Payroll Core	Security	HTTP	No	6.3	Network	Low	Low	None	Un- changed	Low	Low	Low	9.2
CVE-2020-14832	PeopleSoft Enterprise PeopleTools	Integration Broker	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.56, 8.57, 8.58
CVE-2020-14801	PeopleSoft Enterprise PeopleTools	PIA Core Technology	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.56, 8.57, 8.58
CVE-2020-14802	PeopleSoft Enterprise PeopleTools	PIA Core Technology	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.56, 8.57, 8.58
CVE-2020-11022	PeopleSoft Enterprise PeopleTools	PIA Core Technology (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.56, 8.57, 8.58
CVE-2020-14813	PeopleSoft Enterprise PeopleTools	PIA Grids	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.56, 8.57, 8.58
CVE-2020-11022	PeopleSoft Enterprise PeopleTools	Portal, Charting (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	8.56, 8.57, 8.58
CVE-2020-1954	PeopleSoft Enterprise PeopleTools	Elastic Search (Apache CXF)	HTTP	Yes	5.3	Adjacent Network	High	None	None	Un- changed	High	None	None	8.56
CVE-2020-14806	PeopleSoft Enterprise PeopleTools	Query	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	8.56, 8.57, 8.58
CVE-2020-9488	PeopleSoft Enterprise PeopleTools	Tools Admin API (Apache Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	8.56, 8.57, 8.58
CVE-2020-9488	PeopleSoft Enterprise PeopleTools	Updates Environment Mgmt (Apache Log4j)	SMTPS	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	8.56, 8.57, 8.58
CVE-2020-14847	PeopleSoft Enterprise PeopleTools	Query	HTTP	No	2.7	Network	Low	High	None	Un- changed	Low	None	None	8.56, 8.57, 8.58

Additional CVEs addressed are:

The patch for CVE-2020-11022 also addresses CVE-2020-11023

Oracle Policy Automation Risk Matrix

This Critical Patch Update contains 6 new security patches for Oracle Policy Automation. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-11022	Oracle Policy Automation	Core (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.2.0 - 12.2.20
CVE-2020-11022	Oracle Policy Automation Connector for Siebel	Core (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	10.4.6
CVE-2020-11022	Oracle Policy Automation for Mobile Devices	Core (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	12.2.0 - 12.2.20
CVE-2020-9488	Oracle Policy Automation	Core (Apache Log4j)	HTTP	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	12.2.0 - 12.2.20
CVE-2020-9488	Oracle Policy Automation Connector for Siebel	Core (Apache Log4j)	HTTP	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	10.4.6
CVE-2020-9488	Oracle Policy Automation for Mobile Devices	Core (Apache Log4j)	HTTP	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	12.2.0 - 12.2.20

Additional CVEs addressed are:

The patch for CVE-2020-11022 also addresses CVE-2020-11023

Oracle Retail Applications Risk Matrix

This Critical Patch Update contains 28 new security patches for Oracle Retail Applications. 25 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-10683	Oracle Retail Order Broker	System Administration (dom4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	15.0, 16.0, 18.0, 19.0, 19.1
CVE-2020-10683	Oracle Retail Price Management	Security (dom4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	14.0.4, 14.1.3.0, 15.0.3.0, 16.0.3.0
CVE-2020-9546	Oracle Retail Service Backbone	RSB kernel (jackson-databind)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	14.1, 15.0, 16.0
CVE-2020-1945	Oracle Retail Back Office	Security (Apache Ant)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	14.0, 14.1
CVE-2020-1945	Oracle Retail Central Office	Security (Apache Ant)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	14.0, 14.1
CVE-2020-1945	Oracle Retail Integration Bus	RIB Kernal (Apache Ant)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	14.1, 15.0, 16.0
CVE-2020-1945	Oracle Retail Point-of-Service	Security (Apache Ant)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	14.0, 14.1
CVE-2020-1945	Oracle Retail Returns Management	Security (Apache Ant)	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	14.0, 14.1
CVE-2020-9410	Oracle Retail Order Broker	Order Broker Foundation (jasperreports_server)	HTTP	Yes	8.8	Network	Low	None	Required	Un- changed	High	High	High	15.0, 16.0
CVE-2019-3740	Oracle Retail Assortment Planning	Application Core (RSA BSAFE Crypto-J)	HTTP	Yes	6.5	Network	Low	None	Required	Un- changed	High	None	None	15.0.3.0, 16.0.3.0
CVE-2019-3740	Oracle Retail Integration Bus	RIB Kernal (RSA BSAFE Crypto-J)	HTTP	Yes	6.5	Network	Low	None	Required	Un- changed	High	None	None	14.1, 15.0, 16.0
CVE-2019-3740	Oracle Retail Predictive Application Server	RPAS Server (RSA BSAFE Crypto-J)	HTTP	Yes	6.5	Network	Low	None	Required	Un- changed	High	None	None	14.1.3.0, 15.0.3.0, 16.0.3.0
CVE-2019-3740	Oracle Retail Service Backbone	RSB kernel (RSA BSAFE Crypto-J)	HTTP	Yes	6.5	Network	Low	None	Required	Un- changed	High	None	None	14.1, 15.0, 16.0
CVE-2019-3740	Oracle Retail Xstore Point of Service	Xenvironment (RSA BSAFE Crypto-J)	HTTP	Yes	6.5	Network	Low	None	Required	Un- changed	High	None	None	15.0.3, 16.0.5, 17.0.3, 18.0.2, 19.0.1
CVE-2020-11022	Oracle Retail Back Office	Security (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	14.0, 14.1
CVE-2020-11022	Oracle Retail Central Office	Security (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	14.0, 14.1
CVE-2020-11022	Oracle Retail Customer Management and Segmentation Foundation	Segments (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	19.0
CVE-2019-11358	Oracle Retail Point-of-Service	Mobile POS (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	14.0, 14.1
CVE-2020-11022	Oracle Retail Returns Management	Security (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	14.0, 14.1
CVE-2019-12415	Oracle Retail Order Broker	Store Connect (Apache POI)	none	No	5.5	Local	Low	Low	None	Un- changed	High	None	None	15.0, 16.0
CVE-2020-9488	Oracle Retail Advanced Inventory Planning	AIP Dashboard (Apache Log4j)	HTTP	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	14.1
CVE-2020-9488	Oracle Retail Assortment Planning	Application Core (Apache Log4j)	HTTP	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	15.0.3.0, 16.0.3.0
CVE-2020-9488	Oracle Retail Bulk Data Integration	BDI Job Scheduler (Apache Log4j)	HTTP	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	15.0.3.0, 16.0.3.0
CVE-2020-9488	Oracle Retail Integration Bus	RIB Kernal (Apache Log4j)	HTTP	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	14.1, 15.0, 16.0
CVE-2020-9488	Oracle Retail Order Broker	Store Connect (Apache Log4j)	HTTP	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	16.0, 18.0, 19.0, 19.1, 19.2, 19.3
CVE-2020-9488	Oracle Retail Predictive Application Server	RPAS Fusion Client (Apache Log4j)	HTTP	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	14.1.3.0, 15.0.3.0, 16.0.3.0
CVE-2020-14732	Oracle Retail Customer Management and Segmentation Foundation	Promotions	HTTP	No	3.1	Network	High	Low	None	Un- changed	Low	None	None	19.0
CVE-2020-14731	Oracle Retail Customer Management and Segmentation Foundation	Segment	HTTP	No	3.1	Network	High	Low	None	Un- changed	Low	None	None	18.0, 19.0

Additional CVEs addressed are:

The patch for CVE-2019-3740 also addresses CVE-2019-3738 and CVE-2019-3739
The patch for CVE-2020-11022 also addresses CVE-2020-11023
The patch for CVE-2020-1945 also addresses CVE-2017-5645
The patch for CVE-2020-9410 also addresses CVE-2020-9409
The patch for CVE-2020-9546 also addresses CVE-2020-10650, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-9547 and CVE-2020-9548

Oracle Siebel CRM Risk Matrix

This Critical Patch Update contains 3 new security patches for Oracle Siebel CRM. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2016-1000031	Siebel Apps - Marketing	Mktg/Email Mktg Stand-Alone (Apache Commons File Upload)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	20.7
CVE-2019-10072	Siebel Apps - Marketing	Mktg/Campaign Mgmt (Apache Tomcat)	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	20.7
CVE-2020-11022	Siebel UI Framework	UIF Open UI (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	20.8

Additional CVEs addressed are:

The patch for CVE-2020-11022 also addresses CVE-2020-11023

Oracle Supply Chain Risk Matrix

This Critical Patch Update contains 4 new security patches for Oracle Supply Chain. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-1938	Oracle Agile PLM	Folders, Files & Attachments (Apache Tomcat)	AJP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	9.3.3, 9.3.5, 9.3.6
CVE-2020-10683	Oracle Agile PLM	Security (dom4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	9.3.3, 9.3.5
CVE-2020-9484	Oracle Transportation Management	Install (Apache Tomcat)	AJP	No	7.0	Local	High	Low	None	Un- changed	High	High	High	6.3.7
CVE-2020-11022	Oracle Agile Product Lifecycle Management for Process	Supplier Portal (jQuery)	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	6.2.0.0

Additional CVEs addressed are:

The patch for CVE-2020-11022 also addresses CVE-2020-11023
The patch for CVE-2020-1938 also addresses CVE-2019-17569, CVE-2020-13934, CVE-2020-13935, CVE-2020-1935 and CVE-2020-9484

Oracle Systems Risk Matrix

This Critical Patch Update contains 8 new security patches for Oracle Systems. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-14871	Oracle Solaris	Pluggable authentication module	Multiple	Yes	10.0	Network	Low	None	None	Changed	High	High	High	10, 11	See Note 1
CVE-2020-14871	Oracle ZFS Storage Appliance Kit	Operating System Image	Multiple	Yes	10.0	Network	Low	None	None	Changed	High	High	High	8.8	See Note 1
CVE-2019-11477	Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers	XCP Firmware (Linux Kernel)	TCP	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	Prior to XCP2362, prior to XCP3090
CVE-2018-3693	Fujitsu M12-1, M12-2, M12-2S Servers	XCP Firmware (Kernel)	None	No	5.6	Local	High	Low	None	Changed	High	None	None	Prior to XCP3090
CVE-2020-14758	Oracle Solaris	Kernel	None	No	5.6	Local	Low	Low	Required	Un- changed	High	None	Low	11
CVE-2020-14754	Oracle Solaris	Filesystem	None	No	5.5	Local	Low	Low	None	Un- changed	None	None	High	11
CVE-2020-14818	Oracle Solaris	Utility	SSH	No	3.0	Network	High	Low	Required	Changed	None	Low	None	11
CVE-2020-14759	Oracle Solaris	Kernel	None	No	2.5	Local	High	Low	Required	Changed	None	Low	None	11

Notes:

This CVE is not exploitable for Solaris 11.1 and later releases, and ZFSSA 8.7 and later releases, thus the CVSS Base Score is 0.0.

Additional CVEs addressed are:

The patch for CVE-2019-11477 also addresses CVE-2019-11478 and CVE-2019-11479
The patch for CVE-2020-14871 for Oracle ZFS Storage Appliance Kit also addresses CVE-2019-18348, CVE-2020-3909, CVE-2020-10108, CVE-2020-12243, CVE-2020-13630, CVE-2020-14758 and CVE-2020-14759

Oracle Utilities Applications Risk Matrix

This Critical Patch Update contains 5 new security patches for Oracle Utilities Applications. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2019-10173	Oracle Utilities Framework	Common (xstream)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	2.2.0.0.0, 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0 - 4.3.0.6.0, 4.4.0.0.0
CVE-2020-10683	Oracle Utilities Framework	General (dom4j)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	2.2.0.0.0, 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0 - 4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0
CVE-2020-1945	Oracle Utilities Framework	General (Apache Ant)	None	No	6.3	Local	High	Low	None	Un- changed	High	High	None	2.2.0.0.0, 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0 - 4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0
CVE-2020-14895	Oracle Utilities Framework	System Wide	HTTP	No	5.4	Network	Low	Low	None	Un- changed	Low	Low	None	2.2.0.0.0, 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0 - 4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0
CVE-2020-9488	Oracle Utilities Framework	Common (Apache Log4j)	HTTP	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	2.2.0.0.0, 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0 - 4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0

Additional CVEs addressed are:

The patch for CVE-2020-1945 also addresses CVE-2017-5645

Oracle Virtualization Risk Matrix

This Critical Patch Update contains 7 new security patches for Oracle Virtualization. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2020-14872	Oracle VM VirtualBox	Core	None	No	8.2	Local	Low	High	None	Changed	High	High	High	Prior to 6.1.16
CVE-2020-14881	Oracle VM VirtualBox	Core	None	No	6.0	Local	Low	High	None	Changed	High	None	None	Prior to 6.1.16
CVE-2020-14884	Oracle VM VirtualBox	Core	None	No	6.0	Local	Low	High	None	Changed	High	None	None	Prior to 6.1.16
CVE-2020-14885	Oracle VM VirtualBox	Core	None	No	6.0	Local	Low	High	None	Changed	High	None	None	Prior to 6.1.16
CVE-2020-14886	Oracle VM VirtualBox	Core	None	No	6.0	Local	Low	High	None	Changed	High	None	None	Prior to 6.1.16
CVE-2020-14889	Oracle VM VirtualBox	Core	None	No	6.0	Local	Low	High	None	Changed	High	None	None	Prior to 6.1.16
CVE-2020-14892	Oracle VM VirtualBox	Core	None	No	5.5	Local	Low	Low	None	Un- changed	None	None	High	Prior to 6.1.16