Oracle Critical Patch Update Advisory - October 2020

Description

A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches address vulnerabilities in Oracle code and in third-party components included in Oracle products. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update Advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security patches. Refer to “Critical Patch Updates, Security Alerts and Bulletins” for information about Oracle Security advisories.

Starting with the October 2020 Critical Patch Update, Oracle lists updates that address vulnerabilities in third-party components which are not exploitable in the context of their inclusion in their respective Oracle product beneath the product's risk matrix. Oracle has published two versions of the October 2020 Critical Patch Update Advisory: this version of the advisory implemented the change in how non-exploitable vulnerabilities in third-party components are reported, and the “traditional” advisory follows the same format as the previous advisories. The “traditional” advisory is published at https://www.oracle.com/security-alerts/cpuoct2020traditional.html.

Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay.

This Critical Patch Update contains 403 new security patches across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at October 2020 Critical Patch Update: Executive Summary and Analysis.

Affected Products and Patch Information

Security vulnerabilities addressed by this Critical Patch Update affect the products listed below. The product area is shown in the Patch Availability Document column.

Please click on the links in the Patch Availability Document column below to access the documentation for patch availability information and installation instructions.

Affected Products and Versions Patch Availability Document
Application Performance Management (APM), versions 13.3.0.0, 13.4.0.0 Enterprise Manager
Big Data Spatial and Graph, versions prior to 3.0 Database
Enterprise Manager Base Platform, versions 13.2.1.0, 13.3.0.0, 13.4.0.0 Enterprise Manager
Enterprise Manager for Peoplesoft, version 13.4.1.1 Enterprise Manager
Enterprise Manager for Storage Management, versions 13.3.0.0, 13.4.0.0 Enterprise Manager
Enterprise Manager Ops Center, version 12.4.0.0 Enterprise Manager
Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers, versions prior to XCP2362, prior to XCP3090 Systems
Fujitsu M12-1, M12-2, M12-2S Servers, versions prior to XCP3090 Systems
Hyperion Analytic Provider Services, version 11.1.2.4 Fusion Middleware
Hyperion BI+, version 11.1.2.4 Fusion Middleware
Hyperion Essbase, version 11.1.2.4 Fusion Middleware
Hyperion Infrastructure Technology, version 11.1.2.4 Fusion Middleware
Hyperion Lifecycle Management, version 11.1.2.4 Fusion Middleware
Hyperion Planning, version 11.1.2.4 Fusion Middleware
Identity Manager Connector, version 9.0 Fusion Middleware
Instantis EnterpriseTrack, versions 17.1, 17.2, 17.3 Oracle Construction and Engineering Suite
Management Pack for Oracle GoldenGate, version 12.2.1.2.0 Fusion Middleware
MySQL Cluster, versions 7.3.30 and prior, 7.4.29 and prior, 7.5.19 and prior, 7.6.15 and prior, 8.0.21 and prior MySQL
MySQL Enterprise Monitor, versions 8.0.21 and prior MySQL
MySQL Server, versions 5.6.49 and prior, 5.7.31 and prior, 8.0.21 and prior MySQL
MySQL Workbench, versions 8.0.21 and prior MySQL
Oracle Access Manager, version 11.1.2.3.0 Fusion Middleware
Oracle Agile PLM, versions 9.3.3, 9.3.5, 9.3.6 Oracle Supply Chain Products
Oracle Agile Product Lifecycle Management for Process, version 6.2.0.0 Oracle Supply Chain Products
Oracle Application Express, versions prior to 20.2 Database
Oracle Application Testing Suite, version 13.3.0.1 Enterprise Manager
Oracle Banking Corporate Lending, versions 12.3.0, 14.0.0-14.4.0 Oracle Financial Services Applications
Oracle Banking Digital Experience, versions 18.1, 18.2, 18.3, 19.1, 19.2, 20.1 Oracle Financial Services Applications
Oracle Banking Payments, versions 14.1.0-14.4.0 Oracle Financial Services Applications
Oracle Banking Platform, versions 2.4.0-2.10.0 Oracle Banking Platform
Oracle BI Publisher, versions 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0 Fusion Middleware
Oracle Business Intelligence Enterprise Edition, versions 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0 Fusion Middleware
Oracle Business Process Management Suite, versions 12.2.1.3.0, 12.2.1.4.0 Fusion Middleware
Oracle Communications Application Session Controller, versions 3.8m0, 3.9m0p1 Oracle Communications Application Session Controller
Oracle Communications Billing and Revenue Management, versions 7.5.0.23.0, 12.0.0.2.0, 12.0.0.3.0 Oracle Communications Billing and Revenue Management
Oracle Communications BRM - Elastic Charging Engine, versions 11.3.0.9.0, 12.0.0.3.0 Oracle Communications BRM - Elastic Charging Engine
Oracle Communications Diameter Signaling Router (DSR), versions 8.0.0.0-8.4.0.5, [IDIH] 8.0.0-8.2.2 Oracle Communications Diameter Signaling Router
Oracle Communications EAGLE Software, versions 46.6.0-46.8.2 Oracle Communications EAGLE
Oracle Communications Element Manager, versions 8.2.0-8.2.2 Oracle Communications Element Manager
Oracle Communications Evolved Communications Application Server, version 7.1 Oracle Communications Evolved Communications Application Server
Oracle Communications Messaging Server, version 8.1 Oracle Communications Messaging Server
Oracle Communications Offline Mediation Controller, version 12.0.0.3.0 Oracle Communications Offline Mediation Controller
Oracle Communications Services Gatekeeper, version 7 Oracle Communications Services Gatekeeper
Oracle Communications Session Border Controller, versions 8.2-8.4 Oracle Communications Session Border Controller
Oracle Communications Session Report Manager, versions 8.2.0-8.2.2 Oracle Communications Session Report Manager
Oracle Communications Session Route Manager, versions 8.2.0-8.2.2 Oracle Communications Session Route Manager
Oracle Communications Unified Inventory Management, versions 7.3.0, 7.4.0 Oracle Communications Unified Inventory Management
Oracle Communications WebRTC Session Controller, version 7.2 Oracle Communications WebRTC Session Controller
Oracle Data Integrator, versions 11.1.1.9.0, 12.2.1.3.0 Fusion Middleware
Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c Database
Oracle E-Business Suite, versions 12.1.1-12.1.3, 12.2.3-12.2.10 E-Business Suite
Oracle Endeca Information Discovery Integrator, version 3.2.0 Fusion Middleware
Oracle Endeca Information Discovery Studio, version 3.2.0 Fusion Middleware
Oracle Enterprise Repository, version 11.1.1.7.0 Fusion Middleware
Oracle Enterprise Session Border Controller, version 8.4 Oracle Enterprise Session Border Controller
Oracle Financial Services Analytical Applications Infrastructure, versions 8.0.6-8.1.0 Oracle Financial Services Analytical Applications Infrastructure
Oracle Financial Services Analytical Applications Reconciliation Framework, versions 8.0.6-8.0.8, 8.1.0 Oracle Financial Services Analytical Applications Reconciliation Framework
Oracle Financial Services Asset Liability Management, versions 8.0.6, 8.0.7, 8.1.0 Oracle Financial Services Asset Liability Management
Oracle Financial Services Balance Sheet Planning, version 8.0.8 Oracle Financial Services Balance Sheet Planning
Oracle Financial Services Basel Regulatory Capital Basic, versions 8.0.6-8.0.8, 8.1.0 Oracle Financial Services Basel Regulatory Capital Basic
Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach, versions 8.0.6-8.0.8, 8.1.0 Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach
Oracle Financial Services Data Foundation, versions 8.0.6-8.1.0 Oracle Financial Services Data Foundation
Oracle Financial Services Data Governance for US Regulatory Reporting, versions 8.0.6-8.0.9 Oracle Financial Services Data Governance for US Regulatory Reporting
Oracle Financial Services Data Integration Hub, versions 8.0.6, 8.0.7, 8.1.0 Oracle Financial Services Data Integration Hub
Oracle Financial Services Funds Transfer Pricing, versions 8.0.6, 8.0.7, 8.1.0 Oracle Financial Services Funds Transfer Pricing
Oracle Financial Services Hedge Management and IFRS Valuations, versions 8.0.6-8.0.8, 8.1.0 Oracle Financial Services Hedge Management and IFRS Valuations
Oracle Financial Services Institutional Performance Analytics, versions 8.0.6, 8.0.7, 8.1.0, 8.7.0 Oracle Financial Services Institutional Performance Analytics
Oracle Financial Services Liquidity Risk Management, version 8.0.6 Oracle Financial Services Liquidity Risk Management
Oracle Financial Services Liquidity Risk Measurement and Management, versions 8.0.7, 8.0.8, 8.1.0 Oracle Financial Services Liquidity Risk Measurement and Management
Oracle Financial Services Loan Loss Forecasting and Provisioning, versions 8.0.6-8.0.8, 8.1.0 Oracle Financial Services Loan Loss Forecasting and Provisioning
Oracle Financial Services Market Risk Measurement and Management, versions 8.0.6, 8.0.8, 8.1.0 Oracle Financial Services Market Risk Measurement and Management
Oracle Financial Services Price Creation and Discovery, versions 8.0.6, 8.0.7 Oracle Financial Services Price Creation And Discovery
Oracle Financial Services Profitability Management, versions 8.0.6, 8.0.7, 8.1.0 Oracle Financial Services Profitability Management
Oracle Financial Services Regulatory Reporting for European Banking Authority, versions 8.0.6-8.1.0 Oracle Financial Services Regulatory Reporting for European Banking Authority
Oracle Financial Services Regulatory Reporting for US Federal Reserve, versions 8.0.6-8.0.9 Oracle Financial Services Regulatory Reporting for US Federal Reserve
Oracle Financial Services Regulatory Reporting with AgileREPORTER, version 8.0.9.2.0 Oracle Financial Services Regulatory Reporting with AgileREPORTER
Oracle Financial Services Retail Customer Analytics, version 8.0.6 Oracle Financial Services Retail Customer Analytics
Oracle FLEXCUBE Core Banking, versions 5.2.0, 11.5.0-11.7.0 Oracle Financial Services Applications
Oracle FLEXCUBE Direct Banking, versions 12.0.1, 12.0.2, 12.0.3 Oracle Financial Services Applications
Oracle FLEXCUBE Private Banking, versions 12.0.0, 12.1.0 Oracle Financial Services Applications
Oracle FLEXCUBE Universal Banking, versions 12.3.0, 14.0.0-14.4.0 Oracle Financial Services Applications
Oracle GoldenGate Application Adapters, versions 12.3.2.1.0, 19.1.0.0.0 Fusion Middleware
Oracle GraalVM Enterprise Edition, versions 19.3.3, 20.2.0 Oracle GraalVM Enterprise Edition
Oracle Health Sciences Empirica Signal, version 9.0 Health Sciences
Oracle Healthcare Data Repository, version 7.0.1 Health Sciences
Oracle Healthcare Foundation, versions 7.1.1, 7.2.0, 7.2.1, 7.3.0 Health Sciences
Oracle Hospitality Guest Access, versions 4.2.0, 4.2.1 Oracle Hospitality Guest Access
Oracle Hospitality Materials Control, version 18.1 Oracle Hospitality Materials Control
Oracle Hospitality OPERA 5 Property Services, versions 5.5, 5.6 Oracle Hospitality OPERA 5 Property Services
Oracle Hospitality Reporting and Analytics, version 9.1.0 Oracle Hospitality Reporting and Analytics
Oracle Hospitality RES 3700, version 5.7 Oracle Hospitality RES
Oracle Hospitality Simphony, versions 18.1, 18.2, 19.1.0-19.1.2 Oracle Hospitality Simphony
Oracle Hospitality Suite8, versions 8.10.2, 8.11-8.14 Oracle Hospitality Suite8
Oracle HTTP Server, versions 12.2.1.3.0, 12.2.1.4.0 Fusion Middleware
Oracle Insurance Accounting Analyzer, version 8.0.9 Oracle Insurance Accounting Analyzer
Oracle Insurance Allocation Manager for Enterprise Profitability, versions 8.0.8, 8.1.0 Oracle Insurance Allocation Manager for Enterprise Profitability
Oracle Insurance Data Foundation, versions 8.0.6-8.1.0 Oracle Insurance Data Foundation
Oracle Insurance Insbridge Rating and Underwriting, versions 5.0.0.0-5.6.0.0, 5.6.1.0 Oracle Insurance Applications
Oracle Insurance Policy Administration J2EE, versions 10.2.0.37, 10.2.4.12, 11.0.2.25, 11.1.0.15, 11.2.0.26, 11.2.2.0 Oracle Insurance Applications
Oracle Insurance Rules Palette, versions 10.2.0.37, 10.2.4.12, 11.0.2.25, 11.1.0.15, 11.2.0.26 Oracle Insurance Applications
Oracle Java SE, versions 7u271, 8u261, 11.0.8, 15 Java SE
Oracle Java SE Embedded, version 8u261 Java SE
Oracle JDeveloper, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0 Fusion Middleware
Oracle Managed File Transfer, versions 12.2.1.3.0, 12.2.1.4.0 Fusion Middleware
Oracle Outside In Technology, versions 8.5.4, 8.5.5 Fusion Middleware
Oracle Policy Automation, versions 12.2.0-12.2.20 Oracle Policy Automation
Oracle Policy Automation Connector for Siebel, version 10.4.6 Oracle Policy Automation
Oracle Policy Automation for Mobile Devices, versions 12.2.0-12.2.20 Oracle Policy Automation
Oracle REST Data Services, versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c, [Standalone ORDS] prior to 20.2.1 Database
Oracle Retail Advanced Inventory Planning, version 14.1 Retail Applications
Oracle Retail Assortment Planning, versions 15.0.3.0, 16.0.3.0 Retail Applications
Oracle Retail Back Office, versions 14.0, 14.1 Retail Applications
Oracle Retail Bulk Data Integration, versions 15.0.3.0, 16.0.3.0 Retail Applications
Oracle Retail Central Office, versions 14.0, 14.1 Retail Applications
Oracle Retail Customer Management and Segmentation Foundation, versions 18.0, 19.0 Retail Applications
Oracle Retail Integration Bus, versions 14.1, 15.0, 16.0 Retail Applications
Oracle Retail Order Broker, versions 15.0, 16.0, 18.0, 19.0, 19.1, 19.2, 19.3 Retail Applications
Oracle Retail Point-of-Service, versions 14.0, 14.1 Retail Applications
Oracle Retail Predictive Application Server, versions 14.1.3.0, 15.0.3.0, 16.0.3.0 Retail Applications
Oracle Retail Price Management, versions 14.0.4, 14.1.3.0, 15.0.3.0, 16.0.3.0 Retail Applications
Oracle Retail Returns Management, versions 14.0, 14.1 Retail Applications
Oracle Retail Service Backbone, versions 14.1, 15.0, 16.0 Retail Applications
Oracle Retail Xstore Point of Service, versions 15.0.3, 16.0.5, 17.0.3, 18.0.2, 19.0.1 Retail Applications
Oracle Solaris, versions 10, 11 Systems
Oracle TimesTen In-Memory Database, versions prior to 11.2.2.8.49, prior to 18.1.3.1.0, prior to 18.1.4.1.0 Database
Oracle Transportation Management, version 6.3.7 Oracle Supply Chain Products
Oracle Utilities Framework, versions 2.2.0.0.0, 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0-4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0 Oracle Utilities Applications
Oracle VM VirtualBox, versions prior to 6.1.16 Virtualization
Oracle WebCenter Portal, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0 Fusion Middleware
Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0 Fusion Middleware
Oracle ZFS Storage Appliance Kit, version 8.8 Systems
PeopleSoft Enterprise HCM Global Payroll Core, version 9.2 PeopleSoft
PeopleSoft Enterprise PeopleTools, versions 8.56, 8.57, 8.58 PeopleSoft
PeopleSoft Enterprise SCM eSupplier Connection, version 9.2 PeopleSoft
Primavera Gateway, versions 16.2.0-16.2.11, 17.12.0-17.12.8 Oracle Construction and Engineering Suite
Primavera Unifier, versions 16.1, 16.2, 17.7-17.12, 18.8, 19.12 Oracle Construction and Engineering Suite
Siebel Applications, versions 20.7, 20.8 Siebel

Note:

  • Vulnerabilities affecting either Oracle Database or Oracle Fusion Middleware may affect Oracle Fusion Applications, so Oracle customers should refer to Oracle Fusion Applications Critical Patch Update Knowledge Document, My Oracle Support Note 1967316.1 for information on patches to be applied to Fusion Application environments.
  • Vulnerabilities affecting Oracle Solaris may affect Oracle ZFSSA so Oracle customers should refer to the Oracle and Sun Systems Product Suite Critical Patch Update Knowledge Document, My Oracle Support Note 2160904.1 for information on minimum revisions of security patches required to resolve ZFSSA issues published in Critical Patch Updates and Solaris Third Party bulletins.
  • Solaris Third Party Bulletins are used to announce security patches for third party software distributed with Oracle Solaris. Solaris 10 customers should refer to the latest patch-sets which contain critical security fixes and detailed in Systems Patch Availability Document. Please see Reference Index of CVE IDs and Solaris Patches (My Oracle Support Note 1448883.1) for more information.
  • Users running Java SE with a browser can download the latest release from https://java.com. Users on the Windows and Mac OS X platforms can also use automatic updates to get the latest release.

Risk Matrix Content

Risk matrices list only security vulnerabilities that are newly addressed by the patches associated with this advisory. Risk matrices for previous security patches can be found in previous Critical Patch Update advisories and Alerts. An English text version of the risk matrices provided in this document is here.

Several vulnerabilities addressed in this Critical Patch Update affect multiple products. Each vulnerability is identified by a CVE# which is its unique identifier. A vulnerability that affects multiple products will appear with the same CVE# in all risk matrices. A CVE# shown in italics indicates that this vulnerability impacts a different product, but also has impact on the product where the italicized CVE# is listed.

Security vulnerabilities are scored using CVSS version 3.1 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS version 3.1).

Oracle conducts an analysis of each security vulnerability addressed by a Critical Patch Update. Oracle does not disclose detailed information about this security analysis to customers, but the resulting Risk Matrix and associated documentation provide information about the type of vulnerability, the conditions required to exploit it, and the potential impact of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage. For more information, see Oracle vulnerability disclosure policies.

The protocol in the risk matrix implies that all of its secure variants (if applicable) are affected as well. For example, if HTTP is listed as an affected protocol, it implies that HTTPS (if applicable) is also affected. The secure variant of a protocol is listed in the risk matrix only if it is the only variant affected, e.g. HTTPS will typically be listed for vulnerabilities in SSL and TLS.

Workarounds

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update security patches as soon as possible. Until you apply the Critical Patch Update patches, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem.

Skipped Critical Patch Updates

Oracle strongly recommends that customers apply security patches as soon as possible. For customers that have skipped one or more Critical Patch Updates and are concerned about products that do not have security patches announced in this Critical Patch Update, please review previous Critical Patch Update advisories to determine appropriate actions.

Critical Patch Update Supported Products and Versions

Patches released through the Critical Patch Update program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. Oracle recommends that customers plan product upgrades to ensure that patches released through the Critical Patch Update program are available for the versions they are currently running.

Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Critical Patch Update. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.

Database, Fusion Middleware, and Oracle Enterprise Manager products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.

Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Critical Patch Update to Oracle:

  • 0rich1 Ant Security FG Lab: CVE-2020-14841
  • Aaron Carreras of FireEye: CVE-2020-14871
  • Abdulrahman Nour of Redforce: CVE-2020-14823
  • Ahmed Elhady Mohamed of Ahmed Mohamed: CVE-2020-14768
  • Akshay Gaikwad: CVE-2020-14762
  • Alessandro Bosco of TIM S.p.A: CVE-2020-14842, CVE-2020-14843
  • Alexander Kornbrust of Red Database Security: CVE-2020-14742, CVE-2020-14901
  • Alves Christopher of Telecom Nancy: CVE-2020-14867
  • Ammarit Thongthua of Secure D Center Cybersecurity Team: CVE-2020-14778
  • Amy Tran: CVE-2020-14822, CVE-2020-14831, CVE-2020-14833, CVE-2020-14834, CVE-2020-14849, CVE-2020-14850, CVE-2020-14851, CVE-2020-14856, CVE-2020-14857
  • Andrej Simko of Accenture: CVE-2020-14774, CVE-2020-14808
  • Anonymous researcher working with Trend Micro's Zero Day Initiative: CVE-2020-14841, CVE-2020-14881, CVE-2020-14884, CVE-2020-14885, CVE-2020-14886
  • Bui Duong from Viettel Cyber Security: CVE-2020-14879, CVE-2020-14880
  • Chi Tran: CVE-2020-14822, CVE-2020-14831, CVE-2020-14833, CVE-2020-14834, CVE-2020-14849, CVE-2020-14850, CVE-2020-14851, CVE-2020-14856, CVE-2020-14857
  • codeplutos of AntGroup FG Security Lab: CVE-2020-14825
  • Damian Bury: CVE-2020-14767, CVE-2020-14770
  • Darragh Duffy: CVE-2020-14744
  • Eddie Zhu of Beijing DBSEC Technology Co., Ltd: CVE-2020-14741
  • Edoardo Predieri of TIM S.p.A: CVE-2020-14842, CVE-2020-14843
  • Fabio Minarelli of TIM S.p.A: CVE-2020-14842, CVE-2020-14843
  • Filip Ceglik: CVE-2020-14772
  • Francesco Russo of TIM S.p.A: CVE-2020-14842, CVE-2020-14843
  • François Goichon of Google: CVE-2020-14735
  • Gaoning Pan of Zhejiang University & Ant Security Light-Year Lab: CVE-2020-14872, CVE-2020-14892
  • Graham Rymer of University Information Services, University of Cambridge: CVE-2020-14840
  • Hangfan Zhang: CVE-2020-14828
  • Ioannis Charalambous of NCC Group: CVE-2020-14787, CVE-2020-14788
  • Ivo Palazzolo of Daimler TSS: CVE-2020-14864
  • Jacob Thompson of FireEye: CVE-2020-14871
  • Jakub Palaczynski: CVE-2020-14740, CVE-2020-14752
  • Jakub Plusczok: CVE-2020-14854
  • Jeffrey Martin of Rapid7: CVE-2020-14871
  • Joe Almeida of Globlue Technologies: CVE-2020-14815
  • Julien Zhan of Telecom Nancy: CVE-2020-14867
  • Khuyen Nguyen of secgit.com: CVE-2020-14816, CVE-2020-14817, CVE-2020-14819, CVE-2020-14835
  • Kritsada Sunthornwutthikrai of Secure D Center Cybersecurity Team: CVE-2020-14778
  • Kylinking of NSFocus Security Team: CVE-2020-14841
  • Larry W. Cashdollar: CVE-2020-14758, CVE-2020-14759
  • Le Xuan Tuyen - VNPT ISC working with Trend Micro Zero Day Initiative: CVE-2020-14841, CVE-2020-14859
  • Long Nguyá»…n Hữu VÅ©: CVE-2020-14863
  • Longofo of Knownsec 404 Team: CVE-2020-14841
  • Luca Di Giuseppe of TIM S.p.A: CVE-2020-14842, CVE-2020-14843
  • Markus Loewe: CVE-2020-14796, CVE-2020-14797, CVE-2020-14798
  • Massimiliano Brolli of TIM S.p.A: CVE-2020-14842, CVE-2020-14843
  • Mateusz Dabrowski: CVE-2020-14784
  • Philippe Antoine of Telecom Nancy: CVE-2020-14867
  • Piotr Madej of ING Tech Poland: CVE-2020-14740
  • Preeyakorn Keadsai of Secure D Center Cybersecurity Team: CVE-2020-14778
  • Quynh Le of VNPT ISC working with Trend Micro Zero Day Initiative: CVE-2020-14825
  • r0 from A-TEAM of Legendsec at Qi'anxin Group: CVE-2020-14841
  • Roger Meyer: CVE-2020-14745
  • Rui Zhong: CVE-2020-14828
  • Sergey Ostanin: CVE-2020-14781
  • Shiva Gupta of Shiva Hacker One: CVE-2020-14890, CVE-2020-14897
  • Spyridon Chatzimichail of OTE Hellenic Telecommunications Organization S.A.: CVE-2020-14764
  • Thai Nguyen of ECQ: CVE-2020-14826
  • thiscodecc: CVE-2020-14825
  • Tomasz Stachowicz: CVE-2020-14780
  • Trung Le: CVE-2020-14822, CVE-2020-14831, CVE-2020-14833, CVE-2020-14834, CVE-2020-14849, CVE-2020-14850, CVE-2020-14851, CVE-2020-14856, CVE-2020-14857
  • Tuan Anh Nguyen of Viettel Cyber Security: CVE-2020-14855, CVE-2020-14862, CVE-2020-14875
  • Tuan Anh Nguyen of Viettel Cyber Security working with Trend Micro Zero Day Initiative: CVE-2020-14876
  • Ved Prabhu: CVE-2020-14762, CVE-2020-14763, CVE-2020-14898, CVE-2020-14899, CVE-2020-14900
  • Venustech ADLab: CVE-2020-14820
  • Viktor Gazdag of NCC Group: CVE-2020-14787, CVE-2020-14788
  • voidfyoo of Chaitin Security Research Lab: CVE-2020-14882, CVE-2020-14883
  • Walid Faour: CVE-2020-14783
  • Xingwei Lin of Ant Security Light-Year Lab: CVE-2020-14872, CVE-2020-14889, CVE-2020-14892
  • Xinlei Ying of Ant Security Light-Year Lab: CVE-2020-14892
  • Xu Yuanzhen of Alibaba Cloud Security Team: CVE-2020-14841
  • Yaoguang Chen of Ant Security Light-Year Lab: CVE-2020-14828, CVE-2020-14861, CVE-2020-14893
  • Yi Ren of Alibaba: CVE-2020-14790, CVE-2020-14828
  • Yongheng Chen: CVE-2020-14828
  • Yu Wang of BMH Security Team: CVE-2020-14841
  • Yuyue Wang of Alibaba: CVE-2020-14828
  • Zhiqiang Zang of University of Texas at Austin: CVE-2020-14792
  • Zouhair Janatil-Idrissi of Telecom Nancy: CVE-2020-14867

Security-In-Depth Contributors

Oracle acknowledges people who have contributed to our Security-In-Depth program (see FAQ). People are acknowledged for Security-In-Depth contributions if they provide information, observations or suggestions pertaining to security vulnerability issues that result in significant modification of Oracle code or documentation in future releases, but are not of such a critical nature that they are distributed in Critical Patch Updates.

In this Critical Patch Update, Oracle recognizes the following for contributions to Oracle's Security-In-Depth program.:

  • Amy Tran [35 reports]
  • Chi Tran [35 reports]
  • David Wilkins
  • Markus Loewe [2 reports]
  • Mateusz Dabrowski
  • Trung Le [35 reports]

On-Line Presence Security Contributors

Oracle acknowledges people who have contributed to our On-Line Presence Security program (see FAQ). People are acknowledged for contributions relating to Oracle's on-line presence if they provide information, observations or suggestions pertaining to security-related issues that result in significant modification to Oracle's on-line external-facing systems.

For this quarter, Oracle recognizes the following for contributions to Oracle's On-Line Presence Security program:

  • Abdulrahman Ahmed [3 reports]
  • Abhishek Morla
  • Adam Willard [2 reports]
  • Adam Willard of Raytheon Foreground Security
  • Adarsh VS Mannarakkal
  • Ahmed Elmalky
  • Ahmed Omer Morve
  • Ai Ho (j3ssiejjj)
  • Alex Munene
  • Alisha Sheikh
  • Anil Bhatt
  • Anurag Kumar Rawat (A1C3VENOM)
  • Ayan Saha
  • Badal Sardhara
  • Bindiya Sardhara
  • Bui Dinh Bao aka 0xd0ff9 of Zalo Security Team (VNG Corp).
  • Danny
  • Dhiraj Mishra
  • Funny Tech
  • Gaurav Kumar
  • Gourab Sadhukhan
  • Harsh Mukeshbhai Joshi [2 reports]
  • Himanshu Phulwariya
  • Karthick Selvaraj
  • Kartik Sharma
  • Kaustubh Kale
  • Kirtan Patel
  • Kryptos Logic - Threat Intelligence Platform
  • Kunal Gambhir
  • Magrabur Alam Sofily
  • Mansouri Badis
  • Marwan Ali Albahar [2 reports]
  • Matthew Harlow of EthicalHacker 20
  • Mayank Kumar
  • Mayank Malik, Kartik Sharma
  • Micah Van Deusen
  • Omkar Ghaisas
  • Osman Ahmed Hassan
  • Pankaj Kumar Thakur from Nepal [3 reports]
  • Pratish Bhansali
  • Ria from iZOOlogic
  • Riccardo Donini
  • Rick Verdoes & Danny de Weille of HackDefense
  • Robert Lee Dick [2 reports]
  • Roger Meyer
  • Ronak Nahar
  • Rudi Andriano
  • Ryan awsmhacks Preston
  • Sai Prashanth Pulisetti
  • Sameer Goyal
  • Shahid Ahmed [2 reports]
  • Shivang Trivedi [2 reports]
  • Shubham Kalaria
  • Shubham Maheshwari
  • Sidney Omondi of Salaam Technology
  • Siva Pathela
  • Soumajit Mukherjee
  • Sparsh Gupta
  • Srikar V - exp1o1t9r
  • Sumit Sah
  • Supun Madubashana Halangoda
  • Suresh Nadar
  • Swapnil Maurya - "swapmaurya20"
  • Syed Muhammad Asim [2 reports]
  • Vaibhav Gaikwad of Knock Security Solutions
  • Venkata Sateesh Netti (str4n63r)
  • Walid Hossain
  • Yassine Triki
  • Yatin Sharma

Critical Patch Update Schedule

Critical Patch Updates are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

  • 19 January 2021
  • 20 April 2021
  • 20 July 2021
  • 19 October 2021

References

 

Modification History

Date Note
2020-December-8 Rev 6. Added a note for CVE-2020-14871.
2020-November-16 Rev 5. Updated Oracle ZFS Storage Appliance Kit row to include CVE-2020-14871.
2020-October-29 Rev 4. Added CVE-2018-2765.
2020-October-27 Rev 3. Credit statement update.
2020-October-22
Rev 2. Affected versions change for CVE-2020-14807, CVE-2020-14810 and credit statement update.
2020-October-20 Rev 1. Initial Release.

Oracle Database Products Risk Matrices

This Critical Patch Update contains 29 new security patches for Oracle Database Products divided as follows:

  • 19 new security patches for Oracle Database Products
  • 1 new security patch for Oracle Big Data Graph
  • 5 new security patches for Oracle REST Data Services
  • 4 new security patches for Oracle TimesTen In-Memory Database

Oracle Database Server Risk Matrix

This Critical Patch Update contains 19 new security patches plus additional third party patches noted below for Oracle Database Products.  5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  1 of these patches is applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.

CVE# Component Package and/or Privilege Required Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2019-12900 Core RDBMS (bzip2) DBA Level Account Oracle Net No 8.8 Network Low Low None Un-
changed
High High High 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c  
CVE-2020-14735 Scheduler Local Logon None No 8.8 Local Low Low None Changed High High High 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c  
CVE-2020-14734 Oracle Text None Oracle Net Yes 8.1 Network High None None Un-
changed
High High High 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c  
CVE-2018-2765 Oracle SSL API None HTTPS Yes 7.5 Network Low None None Un-
changed
High None None 11.2.0.4, 12.1.0.2, 12.2.0.1  
CVE-2020-13935 Workload Manager (Apache Tomcat) None HTTP Yes 7.5 Network Low None None Un-
changed
None None High 12.2.0.1, 18c, 19c  
CVE-2020-11023 Oracle Application Express (jQuery) None HTTP Yes 6.1 Network Low None Required Changed Low Low None Prior to 20.2  
CVE-2020-11023 ORDS (jQuery) None HTTP Yes 6.1 Network Low None Required Changed Low Low None 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c See Note 1
CVE-2020-14762 Oracle Application Express SQL Workshop HTTP No 5.4 Network Low Low Required Changed Low Low None Prior to 20.2  
CVE-2020-9281 Oracle Application Express Valid User Account HTTP No 5.4 Network Low Low Required Changed Low Low None Prior to 20.2  
CVE-2020-14899 Oracle Application Express Data Reporter Valid User Account HTTP No 5.4 Network Low Low Required Changed Low Low None Prior to 20.2  
CVE-2020-14900 Oracle Application Express Group Calendar Valid User Account HTTP No 5.4 Network Low Low Required Changed Low Low None Prior to 20.2  
CVE-2020-14898 Oracle Application Express Packaged Apps Valid User Account HTTP No 5.4 Network Low Low Required Changed Low Low None Prior to 20.2  
CVE-2020-14763 Oracle Application Express Quick Poll Valid User Account HTTP No 5.4 Network Low Low Required Changed Low Low None Prior to 20.2  
CVE-2020-14741 Database Filesystem Resource, Create Table, Create View, Create Procedure, Dbfs_role Oracle Net No 4.9 Network Low High None Un-
changed
None None High 11.2.0.4, 12.1.0.2, 12.2.0.1  
CVE-2020-14901 RDBMS Security Analyze Any Oracle Net No 4.9 Network Low High None Un-
changed
High None None 19c  
CVE-2020-14736 Database Vault Create Public Synonym Oracle Net No 3.8 Network Low High None Un-
changed
Low Low None 11.2.0.4, 12.1.0.2, 12.2.0.1  
CVE-2020-14743 Java VM Create Procedure Multiple No 3.1 Network High Low None Un-
changed
None Low None 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c  
CVE-2020-14740 SQL Developer Install Client Computer User Account Local Logon No 2.8 Local Low Low Required Un-
changed
Low None None 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c  
CVE-2020-14742 Core RDBMS SYSDBA level account Oracle Net No 2.7 Network Low High None Un-
changed
None Low None 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c  

Notes:

  1. Additional ORDS bugs are documented in the risk matrix "Oracle REST Data Services Risk Matrix"
 

Additional CVEs addressed are:

  • The patch for CVE-2019-12900 also addresses CVE-2016-3189
  • The patch for CVE-2020-11023 also addresses CVE-2019-11358 and CVE-2020-11022
  • The patch for CVE-2020-13935 also addresses CVE-2020-11996, CVE-2020-13934 and CVE-2020-9484
  • The patch for CVE-2020-14734 also addresses CVE-2016-10244, CVE-2016-10328, CVE-2016-5300, CVE-2016-6153, CVE-2017-10989, CVE-2017-13685, CVE-2017-13745, CVE-2017-14232, CVE-2017-15286, CVE-2017-7857, CVE-2017-7858, CVE-2017-7864, CVE-2017-8105, CVE-2017-8287, CVE-2018-18873, CVE-2018-19139, CVE-2018-19539, CVE-2018-19540, CVE-2018-19541, CVE-2018-19542, CVE-2018-19543, CVE-2018-20346, CVE-2018-20505, CVE-2018-20506, CVE-2018-20570, CVE-2018-20584, CVE-2018-20622, CVE-2018-20843, CVE-2018-6942, CVE-2018-8740, CVE-2018-9055, CVE-2018-9154, CVE-2018-9252, CVE-2019-15903, CVE-2019-16168, CVE-2019-5018, CVE-2019-8457, CVE-2019-9936 and CVE-2019-9937

Additional patches are included in this Critical Patch Update for the following non-exploitable CVEs in this Oracle product family:

  • Core RDBMS (LZ4): CVE-2019-17543
  • Core RDBMS (Zstandard): CVE-2019-11922
  • Oracle Database (Perl Expat): CVE-2018-20843 and CVE-2019-15903
  • Oracle Spatial and Graph (Apache Log4j): CVE-2020-9488
  • Oracle Spatial and Graph (jackson-databind): CVE-2019-16943, CVE-2017-15095, CVE-2017-17485, CVE-2017-7525, CVE-2018-5968, CVE-2018-7489, CVE-2019-16942 and CVE-2019-17531
  • Oracle Spatial and Graph MapViewer (jQuery): CVE-2020-11023, CVE-2019-11358 and CVE-2020-11022
  • SQL Developer (Apache Batik): CVE-2018-8013 and CVE-2017-5662
  • SQL Developer (Apache Log4j): CVE-2017-5645
  • SQL Developer (Apache POI): CVE-2017-12626, CVE-2016-5000, CVE-2017-5644 and CVE-2019-12415
  • SQL Developer (jackson-databind): CVE-2018-7489, CVE-2017-15095, CVE-2017-17485, CVE-2018-1000873, CVE-2018-11307, CVE-2018-12022, CVE-2018-5968, CVE-2019-12086, CVE-2019-12384, CVE-2019-12814, CVE-2019-16335, CVE-2019-20330 and CVE-2020-8840
  • SQL Developer (JCraft JSch): CVE-2016-5725
  • SQL Developer Install (Bouncy Castle): CVE-2019-17359, CVE-2016-1000338, CVE-2016-1000339, CVE-2016-1000340, CVE-2016-1000341, CVE-2016-1000342, CVE-2016-1000343, CVE-2016-1000344, CVE-2016-1000345, CVE-2016-1000346, CVE-2016-1000352, CVE-2017-13098, CVE-2018-1000180, CVE-2018-1000613 and CVE-2018-5382

Oracle Database Server Client-Only Installations

  • The following Oracle Database Server vulnerability included in this Critical Patch Update affects client-only installations: CVE-2020-14740.

 

Oracle Big Data Graph Risk Matrix

This Critical Patch Update contains 1 new security patch plus additional third party patches noted below for Oracle Big Data Graph.  This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE# Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2019-0192 Big Data Spatial and Graph Property Graph Analytics (Apache Solr) HTTP Yes 9.8 Network Low None None Un-
changed
High High High Prior to 3.0  

Additional CVEs addressed are:

  • The patch for CVE-2019-0192 also addresses CVE-2017-3164

Additional patches are included in this Critical Patch Update for the following non-exploitable CVEs in this Oracle product family:

  • Big Data Spatial and Graph
    • Property Graph Analytics (jQuery): CVE-2015-9251
    • Property Graph Analytics (jackson-databind): CVE-2020-9546, CVE-2015-9251, CVE-2017-5645, CVE-2018-12023, CVE-2018-14718, CVE-2018-7489, CVE-2019-10744, CVE-2019-12086, CVE-2019-14379, CVE-2019-16943, CVE-2020-10650, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-11619, CVE-2020-11620, CVE-2020-14195, CVE-2020-9547 and CVE-2020-9548
    • Property Graph Analytics (lodash): CVE-2019-10744
    • Property Graph Analytics (Apache Log4j): CVE-2017-5645

 

Oracle REST Data Services Risk Matrix

This Critical Patch Update contains 5 new security patches plus additional third party patches noted below for Oracle REST Data Services.  2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE# Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2017-7658 Oracle REST Data Services General (Eclipse Jetty) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c  
CVE-2016-1000031 Oracle REST Data Services General (Apache Commons FileUpload) HTTP No 8.0 Network Low Low Required Un-
changed
High High High 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c  
CVE-2020-14744 Oracle REST Data Services General HTTP No 6.5 Network Low Low None Un-
changed
High None None 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c; Standalone ORDS: prior to 20.2.1  
CVE-2020-11023 Oracle REST Data Services General (jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low None 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c; Standalone ORDS: prior to 20.2.1  
CVE-2020-14745 Oracle REST Data Services General HTTP No 4.3 Network Low Low None Un-
changed
Low None None 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c; Standalone ORDS: prior to 20.2.1  

Additional CVEs addressed are:

  • The patch for CVE-2017-7658 also addresses CVE-2016-4800, CVE-2017-7656, CVE-2017-7657, CVE-2017-9735, CVE-2018-12536, CVE-2018-12538, CVE-2018-12545, CVE-2019-10241, CVE-2019-10246, CVE-2019-10247 and CVE-2019-17632
  • The patch for CVE-2020-11023 also addresses CVE-2019-11358 and CVE-2020-11022

Additional patches are included in this Critical Patch Update for the following non-exploitable CVEs in this Oracle product family:

  • Oracle REST Data Services
    • General (Apache Batik): CVE-2018-8013 and CVE-2017-5662
    • General (jackson-databind): CVE-2019-16335, CVE-2019-12814, CVE-2019-14540, CVE-2019-14893, CVE-2019-17531, CVE-2019-20330, CVE-2020-11113, CVE-2020-11620 and CVE-2020-8840

 

Oracle TimesTen In-Memory Database Risk Matrix

This Critical Patch Update contains 4 new security patches for Oracle TimesTen In-Memory Database.  All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE# Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2018-11058 Oracle TimesTen In-Memory Database EM TimesTen plugin (RSA BSAFE Crypto-C) Multiple Yes 9.8 Network Low None None Un-
changed
High High High Prior to 18.1.4.1.0  
CVE-2017-5645 Oracle TimesTen In-Memory Database Install (Apache Log4j) Multiple Yes 9.8 Network Low None None Un-
changed
High High High Prior to 11.2.2.8.49  
CVE-2019-1010239 Oracle TimesTen In-Memory Database Install (Dave Gamble/cJSON) HTTP Yes 7.5 Network Low None None Un-
changed
None None High Prior to 18.1.3.1.0  
CVE-2019-0201 Oracle TimesTen In-Memory Database Install (Apache ZooKeeper) ZAB Yes 5.9 Network High None None Un-
changed
High None None Prior to 18.1.3.1.0  

Additional CVEs addressed are:

  • The patch for CVE-2017-5645 also addresses CVE-2020-1945
  • The patch for CVE-2018-11058 also addresses CVE-2016-0701, CVE-2016-2183, CVE-2016-6306, CVE-2016-8610, CVE-2018-11054, CVE-2018-11055, CVE-2018-11056, CVE-2018-11057 and CVE-2018-15769
  • The patch for CVE-2019-1010239 also addresses CVE-2019-11834 and CVE-2019-11835

 

Oracle Communications Applications Risk Matrix

This Critical Patch Update contains 9 new security patches for Oracle Communications Applications.  8 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE# Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2019-10173 Oracle Communications BRM - Elastic Charging Engine Diameter Gateway and SDK (xstream) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 11.3.0.9.0, 12.0.0.3.0  
CVE-2020-10683 Oracle Communications Unified Inventory Management Core (dom4j) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 7.3.0, 7.4.0  
CVE-2019-10173 Oracle Communications Unified Inventory Management Core (xstream) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 7.3.0, 7.4.0  
CVE-2020-10878 Oracle Communications Billing and Revenue Management Core (Perl) TCP Yes 8.6 Network Low None None Un-
changed
Low Low High 12.0.0.2.0, 12.0.0.3.0  
CVE-2020-11022 Oracle Communications Billing and Revenue Management Billing Operation Center and Oracle Communication Billing Care (jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low None 7.5.0.23.0, 12.0.0.3.0  
CVE-2020-9489 Oracle Communications Messaging Server Core (Apache Tika) None No 5.5 Local Low None Required Un-
changed
None None High 8.1  
CVE-2020-9488 Oracle Communications Billing and Revenue Management Billing Operation Center and Oracle Communication Billing Care (Apache Log4j) SMTPS Yes 3.7 Network High None None Un-
changed
Low None None 7.5.0.23.0, 12.0.0.3.0  
CVE-2020-9488 Oracle Communications Offline Mediation Controller Core (Apache Log4j) SMTPS Yes 3.7 Network High None None Un-
changed
Low None None 12.0.0.3.0  
CVE-2020-9488 Oracle Communications Unified Inventory Management Core (Apache Log4j) SMTPS Yes 3.7 Network High None None Un-
changed
Low None None 7.3.0, 7.4.0  

Additional CVEs addressed are:

  • The patch for CVE-2020-10878 also addresses CVE-2020-10543 and CVE-2020-12723
  • The patch for CVE-2020-11022 also addresses CVE-2020-11023

 

Oracle Communications Risk Matrix

This Critical Patch Update contains 52 new security patches for Oracle Communications.  41 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE# Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2020-10683 Oracle Communications Application Session Controller WS and WEB (dom4j) Multiple Yes 9.8 Network Low None None Un-
changed
High High High 3.9m0p1  
CVE-2020-11973 Oracle Communications Diameter Signaling Router (DSR) IDIH (Apache Camel) HTTP Yes 9.8 Network Low None None Un-
changed
High High High IDIH: 8.0.0-8.2.2  
CVE-2020-2555 Oracle Communications Diameter Signaling Router (DSR) IDIH (Oracle Coherence) HTTP Yes 9.8 Network Low None None Un-
changed
High High High IDIH: 8.0.0-8.2.2  
CVE-2020-10683 Oracle Communications Diameter Signaling Router (DSR) IDIH (dom4j) HTTP Yes 9.8 Network Low None None Un-
changed
High High High IDIH: 8.0.0-8.2.2  
CVE-2019-2904 Oracle Communications Diameter Signaling Router (DSR) Platform (Application Development Framework) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 8.0.0.0-8.4.0.5  
CVE-2019-12260 Oracle Communications EAGLE Software Network Stack (Wind River VxWorks) TCP Yes 9.8 Network Low None None Un-
changed
High High High 46.6.0-46.8.2  
CVE-2020-11984 Oracle Communications Element Manager Core (Apache HTTP Server) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 8.2.0-8.2.2  
CVE-2020-11984 Oracle Communications Session Report Manager Core (Apache HTTP Server) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 8.2.0-8.2.2  
CVE-2020-11984 Oracle Communications Session Route Manager Core (Apache HTTP Server) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 8.2.0-8.2.2  
CVE-2019-13990 Oracle Communications Session Route Manager Core (Quartz Scheduler) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 8.2.0-8.2.2  
CVE-2019-17638 Oracle Communications Application Session Controller WS and WEB (Eclipse Jetty) HTTP Yes 9.4 Network Low None None Un-
changed
High High Low 3.9m0p1  
CVE-2019-17638 Oracle Communications Element Manager Core (Eclipse Jetty) HTTP Yes 9.4 Network Low None None Un-
changed
High High Low 8.2.0-8.2.2  
CVE-2019-17638 Oracle Communications Session Report Manager Core (Eclipse Jetty) HTTP Yes 9.4 Network Low None None Un-
changed
High High Low 8.2.0-8.2.2  
CVE-2019-17638 Oracle Communications Session Route Manager Core (Eclipse Jetty) HTTP Yes 9.4 Network Low None None Un-
changed
High High Low 8.2.0-8.2.2  
CVE-2020-14195 Oracle Communications Diameter Signaling Router (DSR) IDIH (jackson-databind) HTTP Yes 8.1 Network High None None Un-
changed
High High High IDIH: 8.0.0-8.2.2  
CVE-2020-14195 Oracle Communications Element Manager Core (jackson-databind) HTTP Yes 8.1 Network High None None Un-
changed
High High High 8.2.0-8.2.2  
CVE-2020-14195 Oracle Communications Evolved Communications Application Server Universal Data Record (jackson-databind) XCAP Yes 8.1 Network High None None Un-
changed
High High High 7.1  
CVE-2020-14195 Oracle Communications Session Report Manager Core (jackson-databind) HTTP Yes 8.1 Network High None None Un-
changed
High High High 8.2.0-8.2.2  
CVE-2020-14195 Oracle Communications Session Route Manager Core (jackson-databind) HTTP Yes 8.1 Network High None None Un-
changed
High High High 8.2.0-8.2.2  
CVE-2020-5398 Oracle Communications Diameter Signaling Router (DSR) IDIH (Spring Framework) HTTP Yes 7.5 Network High None Required Un-
changed
High High High IDIH: 8.0.0-8.2.2  
CVE-2019-17359 Oracle Communications Diameter Signaling Router (DSR) IDIH (Bouncy Castle Java Library) HTTPS Yes 7.5 Network Low None None Un-
changed
None None High IDIH: 8.0.0-8.2.2  
CVE-2019-12402 Oracle Communications Element Manager Core (Apache Commons Compress) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 8.2.0-8.2.2  
CVE-2020-11080 Oracle Communications Session Border Controller System (http2) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 8.3, 8.4  
CVE-2019-12402 Oracle Communications Session Report Manager Core (Apache Commons Compress) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 8.2.0-8.2.2  
CVE-2019-12402 Oracle Communications Session Route Manager Core (Apache Commons Compress) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 8.2.0-8.2.2  
CVE-2019-17359 Oracle Communications Session Route Manager Core (Bouncy Castle Java Library) HTTPS Yes 7.5 Network Low None None Un-
changed
None None High 8.2.0-8.2.2  
CVE-2019-10173 Oracle Communications Diameter Signaling Router (DSR) IDIH (xstream) HTTP Yes 7.3 Network Low None None Un-
changed
Low Low Low IDIH: 8.0.0-8.2.2  
CVE-2020-9484 Oracle Communications Diameter Signaling Router (DSR) Core (Apache Tomcat) None No 7.0 Local High Low None Un-
changed
High High High 8.0.0.0-8.4.0.5  
CVE-2020-9484 Oracle Communications Element Manager Core (Apache Tomcat) None No 7.0 Local High Low None Un-
changed
High High High 8.2.0-8.2.2  
CVE-2020-9484 Oracle Communications Session Report Manager Core (Apache Tomcat) None No 7.0 Local High Low None Un-
changed
High High High 8.2.0-8.2.2  
CVE-2020-9484 Oracle Communications Session Route Manager Core (Apache Tomcat) None No 7.0 Local High Low None Un-
changed
High High High 8.2.0-8.2.2  
CVE-2020-1945 Oracle Communications Diameter Signaling Router (DSR) IDIH (Apache Ant) None No 6.7 Local High None None Un-
changed
High High None IDIH: 8.0.0-8.2.2  
CVE-2020-10722 Oracle Communications Session Border Controller Platform (DPDK) None No 6.7 Local Low High None Un-
changed
High High High 8.2-8.4  
CVE-2020-5408 Oracle Communications Element Manager Core (Spring Security) HTTP No 6.5 Network Low Low None Un-
changed
High None None 8.2.0-8.2.2  
CVE-2020-5408 Oracle Communications Session Report Manager Core (Spring Security) HTTP No 6.5 Network Low Low None Un-
changed
High None None 8.2.0-8.2.2  
CVE-2020-5408 Oracle Communications Session Route Manager Core (Spring Security) HTTP No 6.5 Network Low Low None Un-
changed
High None None 8.2.0-8.2.2  
CVE-2020-11022 Oracle Communications Application Session Controller Core (jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low None 3.8m0  
CVE-2020-1941 Oracle Communications Diameter Signaling Router (DSR) IDIH (Apache ActiveMQ) HTTP Yes 6.1 Network Low None Required Changed Low Low None IDIH: 8.0.0-8.2.2  
CVE-2020-11022 Oracle Communications Diameter Signaling Router (DSR) IDIH (jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low None IDIH: 8.0.0-8.2.2  
CVE-2019-17091 Oracle Communications Diameter Signaling Router (DSR) Platform (Eclipse Mojarra) HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.0.0.0-8.4.0.5  
CVE-2020-14788 Oracle Communications Diameter Signaling Router (DSR) User Interface HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.0.0.0-8.4.0.5  
CVE-2020-11022 Oracle Communications WebRTC Session Controller ME (jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low None 7.2  
CVE-2020-11022 Oracle Enterprise Session Border Controller Core (jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.4  
CVE-2019-12415 Oracle Communications Diameter Signaling Router (DSR) IDIH (Apache POI) None No 5.5 Local Low Low None Un-
changed
High None None IDIH: 8.0.0-8.2.2  
CVE-2020-14787 Oracle Communications Diameter Signaling Router (DSR) User Interface HTTP No 5.4 Network Low Low Required Changed Low Low None 8.0.0.0-8.4.0.5  
CVE-2019-11048 Oracle Communications Diameter Signaling Router (DSR) Core (PHP) HTTP Yes 5.3 Network Low None None Un-
changed
None None Low 8.0.0.0-8.4.0.5  
CVE-2020-1954 Oracle Communications Diameter Signaling Router (DSR) IDIH (Apache CXF) HTTP Yes 5.3 Adjacent
Network
High None None Un-
changed
High None None IDIH: 8.0.0-8.2.2  
CVE-2020-1954 Oracle Communications Element Manager Core (Apache CXF) HTTP Yes 5.3 Adjacent
Network
High None None Un-
changed
High None None 8.2.0-8.2.2  
CVE-2020-1954 Oracle Communications Session Report Manager Core (Apache CXF) HTTP Yes 5.3 Adjacent
Network
High None None Un-
changed
High None None 8.2.0-8.2.2  
CVE-2020-1954 Oracle Communications Session Route Manager Core (Apache CXF) HTTP Yes 5.3 Adjacent
Network
High None None Un-
changed
High None None 8.2.0-8.2.2  
CVE-2020-9488 Oracle Communications Application Session Controller WS and WEB (Apache Log4j) SMTPS Yes 3.7 Network High None None Un-
changed
Low None None 3.9m0p1  
CVE-2020-9488 Oracle Communications Services Gatekeeper Media Control UI (Apache Log4j) SMTPS Yes 3.7 Network High None None Un-
changed
Low None None 7  

Additional CVEs addressed are:

  • The patch for CVE-2019-11048 also addresses CVE-2020-7067
  • The patch for CVE-2019-12260 also addresses CVE-2019-12261
  • The patch for CVE-2019-13990 also addresses CVE-2019-5427
  • The patch for CVE-2019-17638 also addresses CVE-2019-17632
  • The patch for CVE-2020-10722 also addresses CVE-2020-10723 and CVE-2020-10724
  • The patch for CVE-2020-11022 also addresses CVE-2020-11023
  • The patch for CVE-2020-11080 also addresses CVE-2019-5436, CVE-2019-5481, CVE-2019-5482, CVE-2019-9511 and CVE-2019-9513
  • The patch for CVE-2020-11973 also addresses CVE-2020-11971 and CVE-2020-11972
  • The patch for CVE-2020-11984 also addresses CVE-2020-11993 and CVE-2020-9490
  • The patch for CVE-2020-14195 also addresses CVE-2020-10650, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-14060, CVE-2020-14061, CVE-2020-14062, CVE-2020-9546, CVE-2020-9547 and CVE-2020-9548
  • The patch for CVE-2020-1941 also addresses CVE-2020-13920
  • The patch for CVE-2020-1945 also addresses CVE-2017-5645
  • The patch for CVE-2020-1954 also addresses CVE-2019-12423
  • The patch for CVE-2020-5398 also addresses CVE-2020-5397
  • The patch for CVE-2020-5408 also addresses CVE-2020-5407

 

Oracle Construction and Engineering Risk Matrix

This Critical Patch Update contains 9 new security patches for Oracle Construction and Engineering.  7 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE# Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2020-11984 Instantis EnterpriseTrack Core (Apache HTTP Server) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 17.1, 17.2, 17.3  
CVE-2019-17495 Primavera Gateway Admin (Swagger UI) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 16.2.0-16.2.11, 17.12.0-17.12.8  
CVE-2015-1832 Primavera Unifier Platform (Apache Derby) HTTP Yes 9.1 Network Low None None Un-
changed
High None High 16.1, 16.2, 17.7-17.12, 18.8, 19.12  
CVE-2017-9096 Primavera Unifier Platform (iText) HTTP Yes 8.8 Network Low None Required Un-
changed
High High High 16.1, 16.2, 17.7-17.12, 18.8, 19.12  
CVE-2020-13935 Instantis EnterpriseTrack Core (Apache Tomcat) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 17.1, 17.2, 17.3  
CVE-2019-17558 Primavera Unifier Platform (Apache Solr) HTTP No 7.5 Network High Low None Un-
changed
High High High 16.1, 16.2, 17.7-17.12, 18.8, 19.12  
CVE-2018-17196 Primavera Unifier Core (Apache Kafka) HTTP Yes 7.0 Network High None None Un-
changed
High Low Low 18.8, 19.12  
CVE-2020-9489 Primavera Unifier Platform (Apache Tika) None No 5.5 Local Low None Required Un-
changed
None None High 16.1, 16.2, 17.7-17.12, 18.8, 19.12  
CVE-2020-9488 Primavera Unifier Core (Apache Log4j) SMTPS Yes 3.7 Network High None None Un-
changed
Low None None 18.8, 19.12  

Additional CVEs addressed are:

  • The patch for CVE-2020-11984 also addresses CVE-2020-11993 and CVE-2020-9490
  • The patch for CVE-2020-13935 also addresses CVE-2020-13934

 

Oracle E-Business Suite Risk Matrix

This Critical Patch Update contains 27 new security patches for Oracle E-Business Suite.  25 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security updates are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle recommends that customers apply the October 2020 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Release 12 Critical Patch Update Knowledge Document (October 2020), My Oracle Support Note 2707309.1.

CVE# Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2020-14855 Oracle Universal Work Queue Work Provider Administration HTTP Yes 9.8 Network Low None None Un-
changed
High High High 12.1.3  
CVE-2020-14805 Oracle E-Business Suite Secure Enterprise Search Search Integration Engine HTTP Yes 9.1 Network Low None None Un-
changed
High High None 12.1.3, 12.2.3 - 12.2.10  
CVE-2020-14875 Oracle Marketing Marketing Administration HTTP Yes 9.1 Network Low None None Un-
changed
High High None 12.1.1 - 12.1.3, 12.2.3 - 12.2.10  
CVE-2020-14876 Oracle Trade Management User Interface HTTP Yes 9.1 Network Low None None Un-
changed
High High None 12.1.1 - 12.1.3, 12.2.3 - 12.2.10  
CVE-2020-14862 Oracle Universal Work Queue Internal Operations HTTP No 8.8 Network Low Low None Un-
changed
High High High 12.2.3 - 12.2.9  
CVE-2020-14850 Oracle CRM Technical Foundation Flex Fields HTTP Yes 8.2 Network Low None Required Changed High Low None 12.1.3, 12.2.3 - 12.2.10  
CVE-2020-14816 Oracle Marketing Marketing Administration HTTP Yes 8.2 Network Low None Required Changed High Low None 12.1.1 - 12.1.3, 12.2.3 - 12.2.10  
CVE-2020-14817 Oracle Marketing Marketing Administration HTTP Yes 8.2 Network Low None Required Changed High Low None 12.1.1 - 12.1.3, 12.2.3 - 12.2.10  
CVE-2020-14831 Oracle Marketing Marketing Administration HTTP Yes 8.2 Network Low None Required Changed High Low None 12.1.1 - 12.1.3, 12.2.3 - 12.2.10  
CVE-2020-14835 Oracle Marketing Marketing Administration HTTP Yes 8.2 Network Low None Required Changed High Low None 12.1.1 - 12.1.3  
CVE-2020-14849 Oracle Marketing Marketing Administration HTTP Yes 8.2 Network Low None Required Changed High Low None 12.1.1 - 12.1.3, 12.2.3 - 12.2.10  
CVE-2020-14819 Oracle One-to-One Fulfillment Print Server HTTP Yes 8.2 Network Low None Required Changed High Low None 12.1.3  
CVE-2020-14863 Oracle One-to-One Fulfillment Print Server HTTP Yes 8.2 Network Low None Required Changed High Low None 12.1.1 - 12.1.3  
CVE-2020-14808 Oracle Trade Management User Interface HTTP Yes 8.2 Network Low None Required Changed High Low None 12.1.3, 12.2.3 - 12.2.10  
CVE-2020-14833 Oracle Trade Management User Interface HTTP Yes 8.2 Network Low None Required Changed High Low None 12.1.1 - 12.1.3, 12.2.3 - 12.2.10  
CVE-2020-14834 Oracle Trade Management User Interface HTTP Yes 8.2 Network Low None Required Changed High Low None 12.1.1 - 12.1.3, 12.2.3 - 12.2.10  
CVE-2020-14851 Oracle Trade Management User Interface HTTP Yes 8.2 Network Low None Required Changed High Low None 12.1.1 - 12.1.3, 12.2.3 - 12.2.10  
CVE-2020-14856 Oracle Trade Management User Interface HTTP Yes 8.2 Network Low None Required Changed High Low None 12.1.1 - 12.1.3, 12.2.3 - 12.2.10  
CVE-2020-14857 Oracle Trade Management User Interface HTTP Yes 8.2 Network Low None Required Changed High Low None 12.1.1 - 12.1.3, 12.2.3 - 12.2.10  
CVE-2020-14774 Oracle CRM Technical Foundation Preferences HTTP Yes 7.5 Network Low None None Un-
changed
None None High 12.1.1 - 12.1.3, 12.2.3 - 12.2.10  
CVE-2020-14761 Oracle Applications Manager Oracle Diagnostics Interfaces HTTP Yes 6.5 Network Low None None Un-
changed
Low Low None 12.1.3, 12.2.3 - 12.2.7  
CVE-2020-14823 Oracle CRM Technical Foundation Preferences HTTP No 6.5 Network Low High None Un-
changed
High High None 12.2.3 - 12.2.10  
CVE-2020-14811 Oracle Applications Manager AMP EBS Integration HTTP Yes 5.3 Network Low None None Un-
changed
Low None None 12.1.3, 12.2.3 - 12.2.10  
CVE-2020-14826 Oracle Applications Manager SQL Extensions HTTP Yes 5.3 Network Low None None Un-
changed
Low None None 12.1.3, 12.2.3 - 12.2.10  
CVE-2020-14840 Oracle Application Object Library Diagnostics HTTP Yes 4.7 Network Low None Required Changed None Low None 12.1.3, 12.2.3 - 12.2.10  
CVE-2020-14746 Oracle Applications Framework Popup windows HTTP Yes 4.7 Network Low None Required Changed None Low None 12.1.3, 12.2.3 - 12.2.10  
CVE-2020-14822 Oracle Installed Base APIs HTTP Yes 4.7 Network Low None Required Changed None Low None 12.1.1 - 12.1.3, 12.2.3 - 12.2.10  

 

Oracle Enterprise Manager Risk Matrix

This Critical Patch Update contains 11 new security patches for Oracle Enterprise Manager.  10 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  None of these patches are applicable to client-only installations, i.e., installations that do not have Oracle Enterprise Manager installed. The English text form of this Risk Matrix can be found here.

Oracle Enterprise Manager products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle Enterprise Manager products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security updates are not listed in the Oracle Enterprise Manager risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle Enterprise Manager products, Oracle recommends that customers apply the October 2020 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Enterprise Manager. For information on what patches need to be applied to your environments, refer to Critical Patch Update October 2020 Patch Availability Document for Oracle Products, My Oracle Support Note 2694898.1.

CVE# Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2019-13990 Enterprise Manager Ops Center Agent Provisioning (Quartz Scheduler) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 12.4.0.0  
CVE-2018-11058 Oracle Application Testing Suite Load Testing for Web Apps (RSA BSAFE Crypto-C) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 13.3.0.1  
CVE-2019-17638 Oracle Application Testing Suite Load Testing for Web Apps (Eclipse Jetty) HTTP Yes 9.4 Network Low None None Un-
changed
High High Low 13.3.0.1  
CVE-2020-5398 Enterprise Manager Base Platform Connector Framework (Spring Framework) HTTP Yes 7.5 Network High None Required Un-
changed
High High High 13.2.1.0  
CVE-2020-1967 Enterprise Manager for Storage Management Privilege Management (OpenSSL) HTTPS Yes 7.5 Network Low None None Un-
changed
None None High 13.3.0.0, 13.4.0.0  
CVE-2020-5398 Oracle Application Testing Suite Load Testing for Web Apps (Spring Framework) HTTP Yes 7.5 Network High None Required Un-
changed
High High High 13.3.0.1  
CVE-2019-3740 Application Performance Management (APM) Comp Management and Life Cycle Management (RSA BSAFE Crypto-J) HTTPS Yes 6.5 Network Low None Required Un-
changed
High None None 13.3.0.0, 13.4.0.0  
CVE-2019-2897 Enterprise Manager Base Platform Event Management HTTP No 6.4 Network Low Low None Changed Low Low None 13.3.0.0, 13.4.0.0  
CVE-2020-11022 Enterprise Manager Ops Center Reports in Ops Center (jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low None 12.4.0.0  
CVE-2020-1954 Enterprise Manager Base Platform Connector Framework (Apache CXF) HTTP Yes 5.3 Adjacent
Network
High None None Un-
changed
High None None 13.2.1.0  
CVE-2020-9488 Enterprise Manager for Peoplesoft PSEM Plugin (Apache Log4j) SMTPS Yes 3.7 Network High None None Un-
changed
Low None None 13.4.1.1  

Additional CVEs addressed are:

  • The patch for CVE-2018-11058 also addresses CVE-2016-0701, CVE-2016-2183, CVE-2016-6306, CVE-2016-8610, CVE-2018-11054, CVE-2018-11055, CVE-2018-11056, CVE-2018-11057 and CVE-2018-15769
  • The patch for CVE-2019-13990 also addresses CVE-2019-5427
  • The patch for CVE-2019-17638 also addresses CVE-2019-17632
  • The patch for CVE-2019-3740 also addresses CVE-2019-3738 and CVE-2019-3739
  • The patch for CVE-2020-1954 also addresses CVE-2019-12419
  • The patch for CVE-2020-5398 also addresses CVE-2020-5397

 

Oracle Financial Services Applications Risk Matrix

This Critical Patch Update contains 53 new security patches for Oracle Financial Services Applications.  49 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE# Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2019-17495 Oracle Banking Platform Collections (Swagger UI) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 2.4.0-2.10.0  
CVE-2020-10683 Oracle Banking Platform Collections (dom4j) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 2.4.0-2.10.0  
CVE-2019-10173 Oracle Banking Platform Collections (xstream) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 2.4.0-2.10.0  
CVE-2020-10683 Oracle Financial Services Analytical Applications Infrastructure Infrastructure (dom4j) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 8.0.6-8.1.0  
CVE-2020-9546 Oracle Financial Services Analytical Applications Infrastructure Infrastructure (jackson-databind) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 8.0.6-8.1.0  
CVE-2020-9546 Oracle Financial Services Institutional Performance Analytics User Interface (jackson-databind) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 8.0.6, 8.7.0, 8.1.0  
CVE-2020-9546 Oracle Financial Services Price Creation and Discovery User Interface (jackson-databind) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 8.0.6, 8.0.7  
CVE-2017-5645 Oracle Financial Services Regulatory Reporting with AgileREPORTER Core (Apache Ant) Multiple Yes 9.8 Network Low None None Un-
changed
High High High 8.0.9.2.0  
CVE-2020-9546 Oracle Financial Services Retail Customer Analytics User Interface (jackson-databind) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 8.0.6  
CVE-2020-11973 Oracle FLEXCUBE Private Banking Core (Apache Camel) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 12.0.0, 12.1.0  
CVE-2020-14824 Oracle Financial Services Analytical Applications Infrastructure Infrastructure HTTP Yes 8.6 Network Low None None Changed None None High 8.0.6-8.1.0  
CVE-2020-14195 Oracle Banking Digital Experience Framework (jackson-databind) HTTPS Yes 8.1 Network High None None Un-
changed
High High High 18.1, 18.2, 18.3, 19.1, 19.2, 20.1  
CVE-2020-5398 Oracle Financial Services Regulatory Reporting with AgileREPORTER Core (Spring Framework) HTTP Yes 7.5 Network High None Required Un-
changed
High High High 8.0.9.2.0  
CVE-2020-5398 Oracle FLEXCUBE Private Banking Core (Spring Framework) HTTP Yes 7.5 Network High None Required Un-
changed
High High High 12.0.0, 12.1.0  
CVE-2020-14894 Oracle Banking Corporate Lending Core HTTP No 6.5 Network Low Low None Un-
changed
High None None 12.3.0, 14.0.0-14.4.0  
CVE-2020-14896 Oracle Banking Payments Core HTTP No 6.5 Network Low Low None Un-
changed
High None None 14.1.0-14.4.0  
CVE-2020-14890 Oracle FLEXCUBE Direct Banking Pre Login HTTP Yes 6.5 Network Low None Required Un-
changed
High None None 12.0.1, 12.0.2, 12.0.3  
CVE-2020-14897 Oracle FLEXCUBE Direct Banking Pre Login HTTP Yes 6.5 Network Low None Required Un-
changed
High None None 12.0.1, 12.0.2, 12.0.3  
CVE-2020-14887 Oracle FLEXCUBE Universal Banking Infrastructure HTTP No 6.5 Network Low Low None Un-
changed
High None None 12.3.0, 14.0.0-14.4.0  
CVE-2020-11022 Oracle Banking Digital Experience Framework (jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low None 18.1, 18.2, 18.3, 19.1, 19.2, 20.1  
CVE-2020-11022 Oracle Financial Services Analytical Applications Infrastructure Infrastructure (jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.0.6-8.1.0  
CVE-2020-11022 Oracle Financial Services Analytical Applications Reconciliation Framework User Interface (jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.0.6-8.0.8, 8.1.0  
CVE-2020-11022 Oracle Financial Services Asset Liability Management User Interface (jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.0.6, 8.0.7, 8.1.0  
CVE-2020-11022 Oracle Financial Services Balance Sheet Planning User Interface (jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.0.8  
CVE-2020-11022 Oracle Financial Services Basel Regulatory Capital Basic User Interface (jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.0.6-8.0.8, 8.1.0  
CVE-2020-11022 Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach User Interface (jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.0.6-8.0.8, 8.1.0  
CVE-2020-11022 Oracle Financial Services Data Foundation Infrastructure (jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.0.6-8.1.0  
CVE-2020-11022 Oracle Financial Services Data Governance for US Regulatory Reporting User Interface (jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.0.6-8.0.9  
CVE-2020-11022 Oracle Financial Services Data Integration Hub User Interface (jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.0.6, 8.0.7, 8.1.0  
CVE-2020-11022 Oracle Financial Services Funds Transfer Pricing User Interface (jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.0.6, 8.0.7, 8.1.0  
CVE-2020-11022 Oracle Financial Services Hedge Management and IFRS Valuations User Interface (jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.0.6-8.0.8, 8.1.0  
CVE-2020-11022 Oracle Financial Services Institutional Performance Analytics User Interface (jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.0.6, 8.0.7, 8.1.0  
CVE-2020-11022 Oracle Financial Services Liquidity Risk Management User Interface (jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.0.6  
CVE-2020-11022 Oracle Financial Services Liquidity Risk Measurement and Management User Interface (jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.0.7, 8.0.8, 8.1.0  
CVE-2020-11022 Oracle Financial Services Loan Loss Forecasting and Provisioning User Interface (jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.0.6-8.0.8, 8.1.0  
CVE-2020-11022 Oracle Financial Services Market Risk Measurement and Management Infrastructure (jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.0.6, 8.0.8  
CVE-2020-11022 Oracle Financial Services Price Creation and Discovery User Interface (jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.0.6, 8.0.7  
CVE-2020-11022 Oracle Financial Services Profitability Management User Interface (jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.0.6, 8.0.7, 8.1.0  
CVE-2020-11022 Oracle Financial Services Regulatory Reporting for European Banking Authority User Interface (jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.0.6-8.1.0  
CVE-2020-11022 Oracle Financial Services Regulatory Reporting for US Federal Reserve User Interface (jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.0.6-8.0.9  
CVE-2020-1941 Oracle FLEXCUBE Private Banking Core (Apache ActiveMQ) HTTP Yes 6.1 Network Low None Required Changed Low Low None 12.0.0, 12.1.0  
CVE-2020-11022 Oracle Insurance Accounting Analyzer IFRS17 (jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.0.9  
CVE-2020-11022 Oracle Insurance Allocation Manager for Enterprise Profitability User Interface (jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.0.8, 8.1.0  
CVE-2020-11022 Oracle Insurance Data Foundation Infrastructure (jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.0.6-8.1.0  
CVE-2020-1951 Oracle FLEXCUBE Private Banking Core (Apache Tika) None No 5.5 Local Low None Required Un-
changed
None None High 12.0.0, 12.1.0  
CVE-2019-10247 Oracle FLEXCUBE Core Banking Core (Eclipse Jetty) HTTP Yes 5.3 Network Low None None Un-
changed
Low None None 5.2.0, 11.5.0-11.7.0  
CVE-2020-9488 Oracle Financial Services Analytical Applications Infrastructure Infrastructure (Apache Log4j) SMTPS Yes 3.7 Network High None None Un-
changed
Low None None 8.0.6-8.1.0  
CVE-2020-9488 Oracle Financial Services Institutional Performance Analytics User Interface (Apache Log4j) SMTPS Yes 3.7 Network High None None Un-
changed
Low None None 8.0.6, 8.7.0, 8.1.0  
CVE-2020-9488 Oracle Financial Services Market Risk Measurement and Management Infrastructure (Apache log4j) SMTPS Yes 3.7 Network High None None Un-
changed
Low None None 8.0.6, 8.0.8, 8.1.0  
CVE-2020-9488 Oracle Financial Services Price Creation and Discovery User Interface (Apache Log4j) SMTPS Yes 3.7 Network High None None Un-
changed
Low None None 8.0.6, 8.0.7  
CVE-2020-9488 Oracle Financial Services Retail Customer Analytics User Interface (Apache Log4j) SMTPS Yes 3.7 Network High None None Un-
changed
Low None None 8.0.6  
CVE-2020-9488 Oracle FLEXCUBE Core Banking Core (Apache Log4j) SMTPS Yes 3.7 Network High None None Un-
changed
Low None None 5.2.0, 11.5.0-11.7.0  
CVE-2020-9488 Oracle FLEXCUBE Private Banking Core (Apache Log4j) SMTPS Yes 3.7 Network High None None Un-
changed
Low None None 12.0.0, 12.1.0  

Additional CVEs addressed are:

  • The patch for CVE-2019-10173 also addresses CVE-2013-7285
  • The patch for CVE-2019-10247 also addresses CVE-2019-10246
  • The patch for CVE-2020-11022 also addresses CVE-2020-11023
  • The patch for CVE-2020-11973 also addresses CVE-2020-11971 and CVE-2020-11972
  • The patch for CVE-2020-14195 also addresses CVE-2020-14060, CVE-2020-14061 and CVE-2020-14062
  • The patch for CVE-2020-1941 also addresses CVE-2020-13920
  • The patch for CVE-2020-1951 also addresses CVE-2020-1950
  • The patch for CVE-2020-5398 also addresses CVE-2020-5397
  • The patch for CVE-2020-9546 also addresses CVE-2020-10650, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-9547 and CVE-2020-9548

 

Oracle Food and Beverage Applications Risk Matrix

This Critical Patch Update contains 4 new security patches for Oracle Food and Beverage Applications.  3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE# Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2020-11022 Oracle Hospitality Materials Control Mobile Authorization (jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low None 18.1  
CVE-2020-11022 Oracle Hospitality Simphony Simphony Apps (jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low None 18.1, 18.2, 19.1.0-19.1.2  
CVE-2020-14753 Oracle Hospitality Reporting and Analytics Installation None No 5.9 Local Low Low Required Changed High None None 9.1.0  
CVE-2020-14783 Oracle Hospitality RES 3700 CAL TCP Yes 5.3 Network Low None None Un-
changed
Low None None 5.7  

Additional CVEs addressed are:

  • The patch for CVE-2020-11022 also addresses CVE-2020-11023

 

Oracle Fusion Middleware Risk Matrix

This Critical Patch Update contains 46 new security patches for Oracle Fusion Middleware.  36 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security updates are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle recommends that customers apply the Critical Patch Update October 2020 to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update October 2020 Patch Availability Document for Oracle Products, My Oracle Support Note 2694898.1.

CVE# Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2017-5645 Identity Manager Connector General and Misc (Apache Log4j) Multiple Yes 9.8 Network Low None None Un-
changed
High High High 9.0  
CVE-2018-11058 Oracle Access Manager Web Server Plugin (RSA BSafe) HTTPS Yes 9.8 Network Low None None Un-
changed
High High High 11.1.2.3.0  
CVE-2017-9800 Oracle Data Integrator Install, config, upgrade (Apache HTTP Server) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 12.2.1.3.0  
CVE-2020-10683 Oracle Endeca Information Discovery Integrator Integrator ETL (dom4j) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 3.2.0  
CVE-2019-10173 Oracle Endeca Information Discovery Studio Endeca Server (xstream) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 3.2.0  
CVE-2019-2904 Oracle Enterprise Repository Security Subsystem - 12c (Application Development Framework) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 11.1.1.7.0  
CVE-2018-8088 Oracle GoldenGate Application Adapters Application Adapters (SLF4J) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 12.3.2.1.0  
CVE-2019-17531 Oracle GoldenGate Application Adapters Build Request (jackson-databind) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 19.1.0.0.0  
CVE-2018-11058 Oracle GoldenGate Application Adapters Security Service (RSA BSAFE) HTTPS Yes 9.8 Network Low None None Un-
changed
High High High 12.3.2.1.0  
CVE-2019-5482 Oracle HTTP Server Web Listener (cURL) TFTP Yes 9.8 Network Low None None Un-
changed
High High High 12.2.1.3.0, 12.2.1.4.0  
CVE-2020-10683 Oracle WebCenter Portal Portlet Services (dom4j) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 12.2.1.3.0, 12.2.1.4.0  
CVE-2020-2555 Oracle WebCenter Portal Security Framework (Oracle Coherence) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 12.2.1.3.0, 12.2.1.4.0  
CVE-2019-10173 Oracle WebCenter Portal Security Framework (xstream) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 11.1.1.9.0, 12.2.1.3.0  
CVE-2019-17267 Oracle WebLogic Server Centralized Thirdparty Jars (jackson-databind) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 12.2.1.3.0  
CVE-2020-14882 Oracle WebLogic Server Console HTTP Yes 9.8 Network Low None None Un-
changed
High High High 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0  
CVE-2020-14841 Oracle WebLogic Server Core IIOP Yes 9.8 Network Low None None Un-
changed
High High High 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0  
CVE-2020-14825 Oracle WebLogic Server Core IIOP, T3 Yes 9.8 Network Low None None Un-
changed
High High High 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0  
CVE-2020-14859 Oracle WebLogic Server Core IIOP, T3 Yes 9.8 Network Low None None Un-
changed
High High High 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0  
CVE-2020-14879 BI Publisher E-Business Suite - XDO HTTP No 8.5 Network Low Low None Changed High Low None 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0  
CVE-2020-14880 BI Publisher E-Business Suite - XDO HTTP No 8.5 Network Low Low None Changed High Low None 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0  
CVE-2020-14842 BI Publisher BI Publisher Security HTTP Yes 8.2 Network Low None Required Changed High Low None 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0  
CVE-2020-14784 Oracle BI Publisher Mobile Service HTTP Yes 8.2 Network Low None Required Changed High Low None 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0  
CVE-2020-14815 Oracle Business Intelligence Enterprise Edition Analytics Actions HTTP Yes 8.2 Network Low None Required Changed High Low None 5.5.0.0.0, 12.2.1.3.0, 12.2.1.4.0  
CVE-2016-2510 Oracle Data Integrator Jave APIs (BeanShell) HTTP Yes 8.1 Network High None None Un-
changed
High High High 11.1.1.9.0, 12.2.1.3.0  
CVE-2020-3235 Management Pack for Oracle GoldenGate Monitor (SNMP) SNMP No 7.7 Network Low Low None Changed None None High 12.2.1.2.0  
CVE-2020-14864 Oracle Business Intelligence Enterprise Edition Installation HTTP Yes 7.5 Network Low None None Un-
changed
High None None 5.5.0.0.0, 12.2.1.3.0, 12.2.1.4.0  
CVE-2020-1967 Oracle HTTP Server SSL Module (OpenSSL) HTTPS Yes 7.5 Network Low None None Un-
changed
None None High 12.2.1.4.0  
CVE-2020-14820 Oracle WebLogic Server Core IIOP, T3 Yes 7.5 Network Low None None Un-
changed
High None None 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0  
CVE-2019-10097 Oracle HTTP Server Core (Apache HTTP Server) HTTP No 7.2 Network Low High None Un-
changed
High High High 12.2.1.4.0  
CVE-2020-14883 Oracle WebLogic Server Console HTTP No 7.2 Network Low High None Un-
changed
High High High 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0  
CVE-2020-14780 BI Publisher BI Publisher Security HTTP Yes 7.1 Network Low None Required Un-
changed
High Low None 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0  
CVE-2020-14843 Oracle Business Intelligence Enterprise Edition Analytics Actions HTTP Yes 7.1 Network Low None Required Changed Low Low Low 5.5.0.0.0, 12.2.1.3.0, 12.2.1.4.0  
CVE-2020-14766 Oracle Business Intelligence Enterprise Edition Analytics Web Administration HTTP No 7.1 Network Low Low None Un-
changed
High Low None 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0  
CVE-2020-9484 Oracle Managed File Transfer MFT Runtime Server (Apache Tomcat) None No 7.0 Local High Low None Un-
changed
High High High 12.2.1.3.0, 12.2.1.4.0  
CVE-2020-14757 Oracle WebLogic Server Web Services HTTP Yes 6.8 Network High None Required Un-
changed
High High None 12.2.1.3.0  
CVE-2020-15389 Oracle Outside In Technology Installation (OpenJPEG) HTTP Yes 6.5 Network High None None Un-
changed
Low None High 8.5.5, 8.5.4 See Note 1
CVE-2020-1945 Oracle Business Process Management Suite Runtime Engine (Apache Ant) None No 6.3 Local High Low None Un-
changed
High High None 12.2.1.3.0, 12.2.1.4.0  
CVE-2019-11358 BI Publisher BI Publisher Security (jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low None 5.5.0.0.0, 12.2.1.3.0, 12.2.1.4.0  
CVE-2019-11358 Oracle Business Process Management Suite Runtime Engine (jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low None 12.2.1.3.0, 12.2.1.4.0  
CVE-2019-2904 Oracle Business Process Management Suite Runtime Engine (Application Development Framework) HTTP Yes 6.1 Network Low None Required Changed Low Low None 12.2.1.3.0, 12.2.1.4.0  
CVE-2020-11022 Oracle JDeveloper ADF Faces (jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low None 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0  
CVE-2020-9281 Oracle WebCenter Portal Blogs and Wikis (CKEditor) HTTP Yes 6.1 Network Low None Required Changed Low Low None 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0  
CVE-2020-11022 Oracle WebLogic Server Console (jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low None 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0  
CVE-2020-1951 Oracle Business Process Management Suite Document Service (Apache Tika) None No 5.5 Local Low None Required Un-
changed
None None High 12.2.1.3.0, 12.2.1.4.0  
CVE-2020-13631 Oracle Outside In Technology Installation (SQLite) None No 5.5 Local Low Low None Un-
changed
None High None 8.5.5, 8.5.4 See Note 1
CVE-2020-9488 Oracle WebLogic Server Core (Apache Log4j) SMTPS Yes 3.7 Network High None None Un-
changed
Low None None 10.3.6.0.0  

Notes:

  1. Outside In Technology is a suite of software development kits (SDKs). The protocol and CVSS score depend on the software that uses the Outside In Technology code. The CVSS score assumes that the software passes data received over a network directly to Outside In Technology code, but if data is not received over a network the CVSS score may be lower.
 

Additional CVEs addressed are:

  • The patch for CVE-2017-9800 also addresses CVE-2016-2167, CVE-2016-2168 and CVE-2016-8734
  • The patch for CVE-2018-11058 also addresses CVE-2016-0701, CVE-2016-2183, CVE-2016-6306, CVE-2016-8610, CVE-2018-11054, CVE-2018-11055, CVE-2018-11056, CVE-2018-11057 and CVE-2018-15769
  • The patch for CVE-2019-17267 also addresses CVE-2019-14540, CVE-2019-16335, CVE-2019-16942 and CVE-2019-16943
  • The patch for CVE-2019-17531 also addresses CVE-2019-16943, CVE-2019-17267 and CVE-2019-20330
  • The patch for CVE-2019-5482 also addresses CVE-2019-5435, CVE-2019-5436, CVE-2019-5443 and CVE-2019-5481
  • The patch for CVE-2020-11022 also addresses CVE-2020-11023
  • The patch for CVE-2020-13631 also addresses CVE-2020-11655, CVE-2020-11656, CVE-2020-13630, CVE-2020-13632, CVE-2020-15358 and CVE-2020-9327
  • The patch for CVE-2020-1951 also addresses CVE-2020-1950

 

Oracle GraalVM Risk Matrix

This Critical Patch Update contains 1 new security patch for Oracle GraalVM.  This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE# Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2020-14803 Oracle GraalVM Enterprise Edition Java Multiple Yes 5.3 Network Low None None Un-
changed
Low None None 19.3.3, 20.2.0  

 

Oracle Health Sciences Applications Risk Matrix

This Critical Patch Update contains 4 new security patches for Oracle Health Sciences Applications.  All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE# Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2020-1953 Oracle Healthcare Foundation Self Service Analytics (Apache Commons Configuration) HTTP Yes 10.0 Network Low None None Changed High High High 7.1.1, 7.2.0, 7.2.1, 7.3.0  
CVE-2020-10683 Oracle Health Sciences Empirica Signal User Interface (dom4j) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 9.0  
CVE-2020-2555 Oracle Healthcare Data Repository Database Module (Oracle Coherence) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 7.0.1  
CVE-2020-11022 Oracle Healthcare Foundation Admin Console (jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low None 7.1.1, 7.2.0, 7.2.1, 7.3.0  

Additional CVEs addressed are:

  • The patch for CVE-2020-11022 also addresses CVE-2020-11023

 

Oracle Hospitality Applications Risk Matrix

This Critical Patch Update contains 6 new security patches for Oracle Hospitality Applications.  3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE# Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2019-17638 Oracle Hospitality Guest Access Base (Eclipse Jetty) HTTP Yes 9.4 Network Low None None Un-
changed
High High Low 4.2.0, 4.2.1  
CVE-2020-14807 Oracle Hospitality Suite8 WebConnect HTTP Yes 7.1 Network Low None Required Un-
changed
High Low None 8.10.2, 8.11-8.14  
CVE-2020-9484 Oracle Hospitality Guest Access Base (Apache Tomcat) None No 7.0 Local High Low None Un-
changed
High High High 4.2.0, 4.2.1  
CVE-2020-14858 Oracle Hospitality OPERA 5 Property Services Logging HTTP No 6.8 Network Low High Required Un-
changed
High High High 5.5, 5.6  
CVE-2020-14877 Oracle Hospitality OPERA 5 Property Services Logging HTTP No 6.5 Network Low High None Un-
changed
High High None 5.5, 5.6  
CVE-2020-14810 Oracle Hospitality Suite8 WebConnect HTTP Yes 5.4 Network Low None Required Un-
changed
Low Low None 8.10.2, 8.11-8.14  

Additional CVEs addressed are:

  • The patch for CVE-2019-17638 also addresses CVE-2019-17632

 

Oracle Hyperion Risk Matrix

This Critical Patch Update contains 9 new security patches for Oracle Hyperion.  1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE# Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2019-5482 Hyperion Essbase Security and Provisioning (cURL) TFTP Yes 9.8 Network Low None None Un-
changed
High High High 11.1.2.4  
CVE-2020-14854 Hyperion Infrastructure Technology UI and Visualization HTTP No 6.1 Network Low High Required Un-
changed
High High None 11.1.2.4  
CVE-2019-1547 Hyperion Essbase Security and Provisioning (OpenSSL) None No 4.7 Local High Low None Un-
changed
High None None 11.1.2.4  
CVE-2020-14768 Hyperion Analytic Provider Services Smart View Provider HTTP No 4.3 Adjacent
Network
High Low Required Un-
changed
Low Low Low 11.1.2.4  
CVE-2020-14767 Hyperion BI+ IQR-Foundation service Multiple No 4.2 Network High High Required Un-
changed
High None None 11.1.2.4  
CVE-2020-14752 Hyperion Lifecycle Management Shared Services HTTP No 4.2 Network High High Required Un-
changed
None High None 11.1.2.4  
CVE-2020-14772 Hyperion Lifecycle Management Shared Services HTTP No 4.2 Network High High Required Un-
changed
None High None 11.1.2.4  
CVE-2020-14764 Hyperion Planning Application Development Framework HTTP No 4.2 Network High High Required Un-
changed
None High None 11.1.2.4  
CVE-2020-14770 Hyperion BI+ IQR-Foundation service Multiple No 2.0 Network High High Required Un-
changed
Low None None 11.1.2.4  

Additional CVEs addressed are:

  • The patch for CVE-2019-1547 also addresses CVE-2019-1549, CVE-2019-1552 and CVE-2019-1563
  • The patch for CVE-2019-5482 also addresses CVE-2019-5481

 

Oracle Insurance Applications Risk Matrix

This Critical Patch Update contains 6 new security patches for Oracle Insurance Applications.  All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE# Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2020-9546 Oracle Insurance Policy Administration J2EE Architecture (jackson-databind) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 11.0.2.25, 11.1.0.15  
CVE-2020-5398 Oracle Insurance Policy Administration J2EE Admin Console (Spring Framework) HTTP Yes 7.5 Network High None Required Un-
changed
High High High 11.2.2.0  
CVE-2020-11022 Oracle Insurance Insbridge Rating and Underwriting Framework Administrator IBFA (jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low None 5.0.0.0 - 5.6.0.0, 5.6.1.0  
CVE-2020-9488 Oracle Insurance Insbridge Rating and Underwriting Framework Administrator IBFA (Apache Log4j) SMTPS Yes 3.7 Network High None None Un-
changed
Low None None 5.0.0.0 - 5.6.0.0, 5.6.1.0  
CVE-2020-9488 Oracle Insurance Policy Administration J2EE Architecture (Apache Log4j) SMTPS Yes 3.7 Network High None None Un-
changed
Low None None 10.2.0.37, 10.2.4.12, 11.0.2.25, 11.1.0.15, 11.2.0.26  
CVE-2020-9488 Oracle Insurance Rules Palette Architecture (Apache Log4j) SMTPS Yes 3.7 Network High None None Un-
changed
Low None None 10.2.0.37, 10.2.4.12, 11.0.2.25, 11.1.0.15, 11.2.0.26  

Additional CVEs addressed are:

  • The patch for CVE-2020-11022 also addresses CVE-2019-11358 and CVE-2020-11023
  • The patch for CVE-2020-9546 also addresses CVE-2020-10650, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-9547 and CVE-2020-9548

 

Oracle Java SE Risk Matrix

This Critical Patch Update contains 8 new security patches for Oracle Java SE.  All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE# Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2020-14803 Java SE Libraries Multiple Yes 5.3 Network Low None None Un-
changed
Low None None Java SE: 11.0.8, 15 See Note 1
CVE-2020-14792 Java SE, Java SE Embedded Hotspot Multiple Yes 4.2 Network High None Required Un-
changed
Low Low None Java SE: 7u271, 8u261, 11.0.8, 15; Java SE Embedded: 8u261 See Note 2
CVE-2020-14781 Java SE, Java SE Embedded JNDI Multiple Yes 3.7 Network High None None Un-
changed
Low None None Java SE: 7u271, 8u261, 11.0.8, 15; Java SE Embedded: 8u261 See Note 2
CVE-2020-14782 Java SE, Java SE Embedded Libraries Multiple Yes 3.7 Network High None None Un-
changed
None Low None Java SE: 7u271, 8u261, 11.0.8, 15; Java SE Embedded: 8u261 See Note 2
CVE-2020-14797 Java SE, Java SE Embedded Libraries Multiple Yes 3.7 Network High None None Un-
changed
None Low None Java SE: 7u271, 8u261, 11.0.8, 15; Java SE Embedded: 8u261 See Note 2
CVE-2020-14779 Java SE, Java SE Embedded Serialization Multiple Yes 3.7 Network High None None Un-
changed
None None Low Java SE: 7u271, 8u261, 11.0.8, 15; Java SE Embedded: 8u261 See Note 2
CVE-2020-14796 Java SE, Java SE Embedded Libraries Multiple Yes 3.1 Network High None Required Un-
changed
Low None None Java SE: 7u271, 8u261, 11.0.8, 15; Java SE Embedded: 8u261 See Note 1
CVE-2020-14798 Java SE, Java SE Embedded Libraries Multiple Yes 3.1 Network High None Required Un-
changed
None Low None Java SE: 7u271, 8u261, 11.0.8, 15; Java SE Embedded: 8u261 See Note 1

Notes:

  1. This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
  2. Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.


 

Oracle MySQL Risk Matrix

This Critical Patch Update contains 53 new security patches plus additional third party patches noted below for Oracle MySQL.  4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE# Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2020-8174 MySQL Cluster Cluster: JS module (Node.js) Multiple Yes 9.8 Network Low None None Un-
changed
High High High 7.3.30 and prior, 7.4.29 and prior, 7.5.19 and prior, 7.6.15 and prior, 8.0.21 and prior  
CVE-2020-14878 MySQL Server Server: Security: LDAP Auth MySQL Protocol No 8.0 Adjacent
Network
Low Low None Un-
changed
High High High 8.0.21 and prior  
CVE-2020-13935 MySQL Enterprise Monitor Monitoring: General (Apache Tomcat) HTTPS Yes 7.5 Network Low None None Un-
changed
None None High 8.0.21 and prior  
CVE-2020-1967 MySQL Workbench Workbench: Security: Encryption (OpenSSL) MySQL Workbench Yes 7.5 Network Low None None Un-
changed
None None High 8.0.21 and prior  
CVE-2020-14828 MySQL Server Server: DML MySQL Protocol No 7.2 Network Low High None Un-
changed
High High High 8.0.21 and prior  
CVE-2020-14775 MySQL Server InnoDB MySQL Protocol No 6.5 Network Low Low None Un-
changed
None None High 5.7.31 and prior, 8.0.21 and prior  
CVE-2020-14765 MySQL Server Server: FTS MySQL Protocol No 6.5 Network Low Low None Un-
changed
None None High 5.6.49 and prior, 5.7.31 and prior, 8.0.21 and prior  
CVE-2020-14769 MySQL Server Server: Optimizer MySQL Protocol No 6.5 Network Low Low None Un-
changed
None None High 5.6.49 and prior, 5.7.31 and prior, 8.0.21 and prior  
CVE-2020-14830 MySQL Server Server: Optimizer MySQL Protocol No 6.5 Network Low Low None Un-
changed
None None High 8.0.21 and prior  
CVE-2020-14836 MySQL Server Server: Optimizer MySQL Protocol No 6.5 Network Low Low None Un-
changed
None None High 8.0.21 and prior  
CVE-2020-14846 MySQL Server Server: Optimizer MySQL Protocol No 6.5 Network Low Low None Un-
changed
None None High 8.0.21 and prior  
CVE-2020-14800 MySQL Server Server: Security: Encryption MySQL Protocol No 6.5 Network Low Low None Un-
changed
None None High 8.0.21 and prior  
CVE-2020-14827 MySQL Server Server: Security: LDAP Auth MySQL Protocol No 6.5 Network Low Low None Un-
changed
High None None 5.7.31 and prior, 8.0.21 and prior  
CVE-2020-14760 MySQL Server Server: Optimizer MySQL Protocol No 5.5 Network Low High None Un-
changed
None Low High 5.7.31 and prior  
CVE-2020-1730 MySQL Workbench MySQL Workbench (libssh) MySQL Workbench Yes 5.3 Network Low None None Un-
changed
None None Low 8.0.21 and prior  
CVE-2020-14776 MySQL Server InnoDB MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 5.7.31 and prior, 8.0.21 and prior  
CVE-2020-14821 MySQL Server InnoDB MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.21 and prior  
CVE-2020-14829 MySQL Server InnoDB MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.21 and prior  
CVE-2020-14848 MySQL Server InnoDB MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.21 and prior  
CVE-2020-14852 MySQL Server Server: Charsets MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.21 and prior  
CVE-2020-14814 MySQL Server Server: DML MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.21 and prior  
CVE-2020-14789 MySQL Server Server: FTS MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 5.7.31 and prior, 8.0.21 and prior  
CVE-2020-14804 MySQL Server Server: FTS MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.21 and prior  
CVE-2020-14812 MySQL Server Server: Locking MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 5.6.49 and prior, 5.7.31 and prior, 8.0.21 and prior  
CVE-2020-14773 MySQL Server Server: Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.21 and prior  
CVE-2020-14777 MySQL Server Server: Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.21 and prior  
CVE-2020-14785 MySQL Server Server: Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.21 and prior  
CVE-2020-14793 MySQL Server Server: Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 5.6.49 and prior, 5.7.31 and prior, 8.0.21 and prior  
CVE-2020-14794 MySQL Server Server: Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.21 and prior  
CVE-2020-14809 MySQL Server Server: Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.21 and prior  
CVE-2020-14837 MySQL Server Server: Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.21 and prior  
CVE-2020-14839 MySQL Server Server: Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.21 and prior  
CVE-2020-14845 MySQL Server Server: Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.21 and prior  
CVE-2020-14861 MySQL Server Server: Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.21 and prior  
CVE-2020-14866 MySQL Server Server: Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.21 and prior  
CVE-2020-14868 MySQL Server Server: Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.21 and prior  
CVE-2020-14888 MySQL Server Server: Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.21 and prior  
CVE-2020-14891 MySQL Server Server: Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.21 and prior  
CVE-2020-14893 MySQL Server Server: Optimizer MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.21 and prior  
CVE-2020-14786 MySQL Server Server: PS MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.21 and prior  
CVE-2020-14790 MySQL Server Server: PS MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 5.7.31 and prior, 8.0.21 and prior  
CVE-2020-14844 MySQL Server Server: PS MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.21 and prior  
CVE-2020-14799 MySQL Server Server: Security: Encryption MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.20 and prior  
CVE-2020-14869 MySQL Server Server: Security: LDAP Auth MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 5.7.31 and prior, 8.0.21 and prior  
CVE-2020-14672 MySQL Server Server: Stored Procedure MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 5.6.49 and prior, 5.7.31 and prior, 8.0.21 and prior  
CVE-2020-14870 MySQL Server Server: X Plugin MySQL Protocol No 4.9 Network Low High None Un-
changed
None None High 8.0.21 and prior  
CVE-2020-14853 MySQL Cluster Cluster: NDBCluster Plugin Multiple No 4.6 Network Low Low Required Un-
changed
None Low Low 8.0.21 and prior  
CVE-2020-14867 MySQL Server Server: DDL MySQL Protocol No 4.4 Network High High None Un-
changed
None None High 5.6.49 and prior, 5.7.31 and prior, 8.0.21 and prior  
CVE-2020-14873 MySQL Server Server: Logging MySQL Protocol No 4.4 Network High High None Un-
changed
None None High 8.0.21 and prior  
CVE-2020-14838 MySQL Server Server: Security: Privileges MySQL Protocol No 4.3 Network Low Low None Un-
changed
Low None None 8.0.21 and prior  
CVE-2020-14860 MySQL Server Server: Security: Roles MySQL Protocol No 2.7 Network Low High None Un-
changed
None Low None 8.0.21 and prior  
CVE-2020-14791 MySQL Server InnoDB MySQL Protocol No 2.2 Network High High None Un-
changed
None None Low 8.0.21 and prior  
CVE-2020-14771 MySQL Server Server: Security: LDAP Auth MySQL Protocol No 2.2 Network High High None Un-
changed
None None Low 5.7.31 and prior, 8.0.21 and prior  

Additional CVEs addressed are:

  • The patch for CVE-2020-13935 also addresses CVE-2020-11996, CVE-2020-13934 and CVE-2020-9484
  • The patch for CVE-2020-8174 also addresses CVE-2020-11080 and CVE-2020-8172

Additional patches are included in this Critical Patch Update for the following non-exploitable CVEs in this Oracle product family:

  • MySQL Cluster
    • Cluster: Configuration (dojo): CVE-2020-4051

 

Oracle PeopleSoft Risk Matrix

This Critical Patch Update contains 15 new security patches for Oracle PeopleSoft.  12 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE# Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2018-11058 PeopleSoft Enterprise PeopleTools Weblogic (RSA BSafe) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 8.56, 8.57, 8.58  
CVE-2020-14865 PeopleSoft Enterprise SCM eSupplier Connection eSupplier Connection HTTP No 8.1 Network Low Low None Un-
changed
High High None 9.2  
CVE-2020-14795 PeopleSoft Enterprise PeopleTools PIA Core Technology HTTP Yes 6.5 Network Low None Required Un-
changed
High None None 8.57, 8.58  
CVE-2020-14778 PeopleSoft Enterprise HCM Global Payroll Core Security HTTP No 6.3 Network Low Low None Un-
changed
Low Low Low 9.2  
CVE-2020-14832 PeopleSoft Enterprise PeopleTools Integration Broker HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.56, 8.57, 8.58  
CVE-2020-14801 PeopleSoft Enterprise PeopleTools PIA Core Technology HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.56, 8.57, 8.58  
CVE-2020-14802 PeopleSoft Enterprise PeopleTools PIA Core Technology HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.56, 8.57, 8.58  
CVE-2020-11022 PeopleSoft Enterprise PeopleTools PIA Core Technology (jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.56, 8.57, 8.58  
CVE-2020-14813 PeopleSoft Enterprise PeopleTools PIA Grids HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.56, 8.57, 8.58  
CVE-2020-11022 PeopleSoft Enterprise PeopleTools Portal, Charting (jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low None 8.56, 8.57, 8.58  
CVE-2020-1954 PeopleSoft Enterprise PeopleTools Elastic Search (Apache CXF) HTTP Yes 5.3 Adjacent
Network
High None None Un-
changed
High None None 8.56  
CVE-2020-14806 PeopleSoft Enterprise PeopleTools Query HTTP Yes 5.3 Network Low None None Un-
changed
Low None None 8.56, 8.57, 8.58  
CVE-2020-9488 PeopleSoft Enterprise PeopleTools Tools Admin API (Apache Log4j) SMTPS Yes 3.7 Network High None None Un-
changed
Low None None 8.56, 8.57, 8.58  
CVE-2020-9488 PeopleSoft Enterprise PeopleTools Updates Environment Mgmt (Apache Log4j) SMTPS Yes 3.7 Network High None None Un-
changed
Low None None 8.56, 8.57, 8.58  
CVE-2020-14847 PeopleSoft Enterprise PeopleTools Query HTTP No 2.7 Network Low High None Un-
changed
Low None None 8.56, 8.57, 8.58  

Additional CVEs addressed are:

  • The patch for CVE-2020-11022 also addresses CVE-2020-11023

 

Oracle Policy Automation Risk Matrix

This Critical Patch Update contains 6 new security patches for Oracle Policy Automation.  All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE# Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2020-11022 Oracle Policy Automation Core (jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low None 12.2.0 - 12.2.20  
CVE-2020-11022 Oracle Policy Automation Connector for Siebel Core (jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low None 10.4.6  
CVE-2020-11022 Oracle Policy Automation for Mobile Devices Core (jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low None 12.2.0 - 12.2.20  
CVE-2020-9488 Oracle Policy Automation Core (Apache Log4j) HTTP Yes 3.7 Network High None None Un-
changed
Low None None 12.2.0 - 12.2.20  
CVE-2020-9488 Oracle Policy Automation Connector for Siebel Core (Apache Log4j) HTTP Yes 3.7 Network High None None Un-
changed
Low None None 10.4.6  
CVE-2020-9488 Oracle Policy Automation for Mobile Devices Core (Apache Log4j) HTTP Yes 3.7 Network High None None Un-
changed
Low None None 12.2.0 - 12.2.20  

Additional CVEs addressed are:

  • The patch for CVE-2020-11022 also addresses CVE-2020-11023

 

Oracle Retail Applications Risk Matrix

This Critical Patch Update contains 28 new security patches for Oracle Retail Applications.  25 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE# Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2020-10683 Oracle Retail Order Broker System Administration (dom4j) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 15.0, 16.0, 18.0, 19.0, 19.1  
CVE-2020-10683 Oracle Retail Price Management Security (dom4j) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 14.0.4, 14.1.3.0, 15.0.3.0, 16.0.3.0  
CVE-2020-9546 Oracle Retail Service Backbone RSB kernel (jackson-databind) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 14.1, 15.0, 16.0  
CVE-2020-1945 Oracle Retail Back Office Security (Apache Ant) HTTP Yes 9.1 Network Low None None Un-
changed
High High None 14.0, 14.1  
CVE-2020-1945 Oracle Retail Central Office Security (Apache Ant) HTTP Yes 9.1 Network Low None None Un-
changed
High High None 14.0, 14.1  
CVE-2020-1945 Oracle Retail Integration Bus RIB Kernal (Apache Ant) HTTP Yes 9.1 Network Low None None Un-
changed
High High None 14.1, 15.0, 16.0  
CVE-2020-1945 Oracle Retail Point-of-Service Security (Apache Ant) HTTP Yes 9.1 Network Low None None Un-
changed
High High None 14.0, 14.1  
CVE-2020-1945 Oracle Retail Returns Management Security (Apache Ant) HTTP Yes 9.1 Network Low None None Un-
changed
High High None 14.0, 14.1  
CVE-2020-9410 Oracle Retail Order Broker Order Broker Foundation (jasperreports_server) HTTP Yes 8.8 Network Low None Required Un-
changed
High High High 15.0, 16.0  
CVE-2019-3740 Oracle Retail Assortment Planning Application Core (RSA BSAFE Crypto-J) HTTP Yes 6.5 Network Low None Required Un-
changed
High None None 15.0.3.0, 16.0.3.0  
CVE-2019-3740 Oracle Retail Integration Bus RIB Kernal (RSA BSAFE Crypto-J) HTTP Yes 6.5 Network Low None Required Un-
changed
High None None 14.1, 15.0, 16.0  
CVE-2019-3740 Oracle Retail Predictive Application Server RPAS Server (RSA BSAFE Crypto-J) HTTP Yes 6.5 Network Low None Required Un-
changed
High None None 14.1.3.0, 15.0.3.0, 16.0.3.0  
CVE-2019-3740 Oracle Retail Service Backbone RSB kernel (RSA BSAFE Crypto-J) HTTP Yes 6.5 Network Low None Required Un-
changed
High None None 14.1, 15.0, 16.0  
CVE-2019-3740 Oracle Retail Xstore Point of Service Xenvironment (RSA BSAFE Crypto-J) HTTP Yes 6.5 Network Low None Required Un-
changed
High None None 15.0.3, 16.0.5, 17.0.3, 18.0.2, 19.0.1  
CVE-2020-11022 Oracle Retail Back Office Security (jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low None 14.0, 14.1  
CVE-2020-11022 Oracle Retail Central Office Security (jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low None 14.0, 14.1  
CVE-2020-11022 Oracle Retail Customer Management and Segmentation Foundation Segments (jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low None 19.0  
CVE-2019-11358 Oracle Retail Point-of-Service Mobile POS (jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low None 14.0, 14.1  
CVE-2020-11022 Oracle Retail Returns Management Security (jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low None 14.0, 14.1  
CVE-2019-12415 Oracle Retail Order Broker Store Connect (Apache POI) none No 5.5 Local Low Low None Un-
changed
High None None 15.0, 16.0  
CVE-2020-9488 Oracle Retail Advanced Inventory Planning AIP Dashboard (Apache Log4j) HTTP Yes 3.7 Network High None None Un-
changed
Low None None 14.1  
CVE-2020-9488 Oracle Retail Assortment Planning Application Core (Apache Log4j) HTTP Yes 3.7 Network High None None Un-
changed
Low None None 15.0.3.0, 16.0.3.0  
CVE-2020-9488 Oracle Retail Bulk Data Integration BDI Job Scheduler (Apache Log4j) HTTP Yes 3.7 Network High None None Un-
changed
Low None None 15.0.3.0, 16.0.3.0  
CVE-2020-9488 Oracle Retail Integration Bus RIB Kernal (Apache Log4j) HTTP Yes 3.7 Network High None None Un-
changed
Low None None 14.1, 15.0, 16.0  
CVE-2020-9488 Oracle Retail Order Broker Store Connect (Apache Log4j) HTTP Yes 3.7 Network High None None Un-
changed
Low None None 16.0, 18.0, 19.0, 19.1, 19.2, 19.3  
CVE-2020-9488 Oracle Retail Predictive Application Server RPAS Fusion Client (Apache Log4j) HTTP Yes 3.7 Network High None None Un-
changed
Low None None 14.1.3.0, 15.0.3.0, 16.0.3.0  
CVE-2020-14732 Oracle Retail Customer Management and Segmentation Foundation Promotions HTTP No 3.1 Network High Low None Un-
changed
Low None None 19.0  
CVE-2020-14731 Oracle Retail Customer Management and Segmentation Foundation Segment HTTP No 3.1 Network High Low None Un-
changed
Low None None 18.0, 19.0  

Additional CVEs addressed are:

  • The patch for CVE-2019-3740 also addresses CVE-2019-3738 and CVE-2019-3739
  • The patch for CVE-2020-11022 also addresses CVE-2020-11023
  • The patch for CVE-2020-1945 also addresses CVE-2017-5645
  • The patch for CVE-2020-9410 also addresses CVE-2020-9409
  • The patch for CVE-2020-9546 also addresses CVE-2020-10650, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-9547 and CVE-2020-9548

 

Oracle Siebel CRM Risk Matrix

This Critical Patch Update contains 3 new security patches for Oracle Siebel CRM.  All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE# Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2016-1000031 Siebel Apps - Marketing Mktg/Email Mktg Stand-Alone (Apache Commons File Upload) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 20.7  
CVE-2019-10072 Siebel Apps - Marketing Mktg/Campaign Mgmt (Apache Tomcat) HTTP Yes 7.5 Network Low None None Un-
changed
None None High 20.7  
CVE-2020-11022 Siebel UI Framework UIF Open UI (jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low None 20.8  

Additional CVEs addressed are:

  • The patch for CVE-2020-11022 also addresses CVE-2020-11023

 

Oracle Supply Chain Risk Matrix

This Critical Patch Update contains 4 new security patches for Oracle Supply Chain.  3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE# Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2020-1938 Oracle Agile PLM Folders, Files & Attachments (Apache Tomcat) AJP Yes 9.8 Network Low None None Un-
changed
High High High 9.3.3, 9.3.5, 9.3.6  
CVE-2020-10683 Oracle Agile PLM Security (dom4j) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 9.3.3, 9.3.5  
CVE-2020-9484 Oracle Transportation Management Install (Apache Tomcat) AJP No 7.0 Local High Low None Un-
changed
High High High 6.3.7  
CVE-2020-11022 Oracle Agile Product Lifecycle Management for Process Supplier Portal (jQuery) HTTP Yes 6.1 Network Low None Required Changed Low Low None 6.2.0.0  

Additional CVEs addressed are:

  • The patch for CVE-2020-11022 also addresses CVE-2020-11023
  • The patch for CVE-2020-1938 also addresses CVE-2019-17569, CVE-2020-13934, CVE-2020-13935, CVE-2020-1935 and CVE-2020-9484

 

Oracle Systems Risk Matrix

This Critical Patch Update contains 8 new security patches for Oracle Systems.  3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE# Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2020-14871 Oracle Solaris Pluggable authentication module Multiple Yes 10.0 Network Low None None Changed High High High 10, 11 See Note 1
CVE-2020-14871 Oracle ZFS Storage Appliance Kit Operating System Image Multiple Yes 10.0 Network Low None None Changed High High High 8.8 See Note 1
CVE-2019-11477 Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers XCP Firmware (Linux Kernel) TCP Yes 7.5 Network Low None None Un-
changed
None None High Prior to XCP2362, prior to XCP3090  
CVE-2018-3693 Fujitsu M12-1, M12-2, M12-2S Servers XCP Firmware (Kernel) None No 5.6 Local High Low None Changed High None None Prior to XCP3090  
CVE-2020-14758 Oracle Solaris Kernel None No 5.6 Local Low Low Required Un-
changed
High None Low 11  
CVE-2020-14754 Oracle Solaris Filesystem None No 5.5 Local Low Low None Un-
changed
None None High 11  
CVE-2020-14818 Oracle Solaris Utility SSH No 3.0 Network High Low Required Changed None Low None 11  
CVE-2020-14759 Oracle Solaris Kernel None No 2.5 Local High Low Required Changed None Low None 11  

Notes:

  1. This CVE is not exploitable for Solaris 11.1 and later releases, and ZFSSA 8.7 and later releases, thus the CVSS Base Score is 0.0.
 

Additional CVEs addressed are:

  • The patch for CVE-2019-11477 also addresses CVE-2019-11478 and CVE-2019-11479
  • The patch for CVE-2020-14871 for Oracle ZFS Storage Appliance Kit also addresses CVE-2019-18348, CVE-2020-3909, CVE-2020-10108, CVE-2020-12243, CVE-2020-13630, CVE-2020-14758 and CVE-2020-14759

 

Oracle Utilities Applications Risk Matrix

This Critical Patch Update contains 5 new security patches for Oracle Utilities Applications.  3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE# Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2019-10173 Oracle Utilities Framework Common (xstream) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 2.2.0.0.0, 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0 - 4.3.0.6.0, 4.4.0.0.0  
CVE-2020-10683 Oracle Utilities Framework General (dom4j) HTTP Yes 9.8 Network Low None None Un-
changed
High High High 2.2.0.0.0, 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0 - 4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0  
CVE-2020-1945 Oracle Utilities Framework General (Apache Ant) None No 6.3 Local High Low None Un-
changed
High High None 2.2.0.0.0, 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0 - 4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0  
CVE-2020-14895 Oracle Utilities Framework System Wide HTTP No 5.4 Network Low Low None Un-
changed
Low Low None 2.2.0.0.0, 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0 - 4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0  
CVE-2020-9488 Oracle Utilities Framework Common (Apache Log4j) HTTP Yes 3.7 Network High None None Un-
changed
Low None None 2.2.0.0.0, 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0 - 4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0  

Additional CVEs addressed are:

  • The patch for CVE-2020-1945 also addresses CVE-2017-5645

 

Oracle Virtualization Risk Matrix

This Critical Patch Update contains 7 new security patches for Oracle Virtualization.  None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE# Product Component Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2020-14872 Oracle VM VirtualBox Core None No 8.2 Local Low High None Changed High High High Prior to 6.1.16  
CVE-2020-14881 Oracle VM VirtualBox Core None No 6.0 Local Low High None Changed High None None Prior to 6.1.16  
CVE-2020-14884 Oracle VM VirtualBox Core None No 6.0 Local Low High None Changed High None None Prior to 6.1.16  
CVE-2020-14885 Oracle VM VirtualBox Core None No 6.0 Local Low High None Changed High None None Prior to 6.1.16  
CVE-2020-14886 Oracle VM VirtualBox Core None No 6.0 Local Low High None Changed High None None Prior to 6.1.16  
CVE-2020-14889 Oracle VM VirtualBox Core None No 6.0 Local Low High None Changed High None None Prior to 6.1.16  
CVE-2020-14892 Oracle VM VirtualBox Core None No 5.5 Local Low Low None Un-
changed
None None High Prior to 6.1.16