2017年10月 oracle 關鍵補丁更新

注：本文出自http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html

檢查你的系統，是否打了最新的補丁。。。。。。。。。。。。。

Oracle Critical Patch Update Advisory - October 2017

Description

A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:

Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay.

This Critical Patch Update contains 252 new security fixes across the product families listed below. Please note that a MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at October 2017 Critical Patch Update: Executive Summary and Analysis

Please note that on September 22, 2017, Oracle released Security Alert for CVE-2017-9805. Customers of affected Oracle product(s) are strongly advised to apply the fixes that were announced in this Security Alert as well as those contained in this Critical Patch update

This Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available here.

Affected Products and Components

Security vulnerabilities addressed by this Critical Patch Update affect the products listed below. The product area of the patches for the listed versions is shown in the Patch Availability column corresponding to the specified Affected Products and Versions column. Please click on the link in the Patch Availability column below to access the documentation for patch availability information and installation instructions.

For an overview of the Oracle product documentation related to this Critical Patch Update, please refer to the Oracle Critical Patch Update October 2017 Documentation Map,My Oracle Support Note.

The list of affected product releases and versions that are in Premier Support or Extended Support, under the Oracle Lifetime Support Policy is as follows:

Note:

Vulnerabilities affecting Oracle Database and Oracle Fusion Middleware may affect Oracle Fusion Applications, so Oracle customers should refer to Oracle Fusion Applications Critical Patch Update Knowledge Document, My Oracle Support Note 1967316.1 for information on patches to be applied to Fusion Application environments.
Users running Java SE with a browser can download the latest release from http://java.com. Users on the Windows and Mac OS X platforms can also use automatic updates to get the latest release.
Vulnerabilities affecting Oracle Solaris may affect Oracle ZFSSA so Oracle customers should refer to the Oracle and Sun Systems Product Suite Critical Patch Update Knowledge Document, My Oracle Support Note 2160904.1 for information on minimum revisions of security fixes required to resolve ZFSSA issues published in Critical Patch Updates (CPUs) and Solaris Third Party bulletins.

Risk Matrix Content

Risk matrices list only security vulnerabilities that are newly fixed by the patches associated with this advisory. Risk matrices for previous security fixes can be found inprevious Critical Patch Update advisories. An English text version of the risk matrices provided in this document is here.

Several vulnerabilities addressed in this Critical Patch Update affect multiple products. Each vulnerability is identified by a CVE# which is a unique identifier for a vulnerability. A vulnerability that affects multiple products will appear with the same CVE# in all risk matrices. A CVE# shown in italics indicates that this vulnerability impacts a different product, but also has impact on the product where the italicized CVE# is listed.

Security vulnerabilities are scored using CVSS version 3.0 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS version 3.0).

Oracle conducts an analysis of each security vulnerability addressed by a Critical Patch Update (CPU). Oracle does not disclose detailed information about this security analysis to customers, but the resulting Risk Matrix and associated documentation provide information about the type of vulnerability, the conditions required to exploit it, and the potential impact of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage. For more information, see Oracle vulnerability disclosure policies.

The protocol in the risk matrix implies that all of its secure variants (if applicable) are affected as well. For example, if HTTP is listed as an affected protocol, it implies that HTTPS (if applicable) is also affected. The secure variant of a protocol is listed in the risk matrix only if it is the only variant affected, e.g. HTTPS will typically be listed for vulnerabilities in SSL and TLS.

Workarounds

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. Until you apply the CPU fixes, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem.

Skipped Critical Patch Updates

Oracle strongly recommends that customers apply security fixes as soon as possible. For customers that have skipped one or more Critical Patch Updates and are concerned about products that do not have security fixes announced in this CPU, please review previous Critical Patch Update advisories to determine appropriate actions.

Product Dependencies

Oracle products may have dependencies on other Oracle products. Hence security vulnerability fixes announced in this Critical Patch Update may affect one or more dependent Oracle products. For details regarding these dependencies and how to apply patches to dependent products, please refer to Patch Set Update and Critical Patch Update October 2017 Availability Document, My Oracle Support Note 2296870.1.

Critical Patch Update Supported Products and Versions

Patches released through the Critical Patch Update program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. We recommend that customers plan product upgrades to ensure that patches released through the Critical Patch Update program are available for the versions they are currently running.

Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Critical Patch Update. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.

Supported Database, Fusion Middleware, Oracle Enterprise Manager Base Platform (formerly "Oracle Enterprise Manager Grid Control") and Collaboration Suite products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.

Products in Extended Support

Patches released through the Critical Patch Update program are available to customers who have Extended Support under the Lifetime Support Policy. Customers must have a valid Extended Support service contract to download patches released through the Critical Patch Update program for products in the Extended Support Phase.

Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Critical Patch Update to Oracle:

Adam Willard of Blue Canopy: CVE-2017-10360
Alexey Tyurin of ERPScan: CVE-2017-10271
An Anonymous researcher via Beyond Security's SecuriTeam Secure Disclosure Program: CVE-2017-10355
Andrés Blanco of Onapsis: CVE-2017-10336
Behzad Najjarpour Jabbari, Secunia Research at Flexera Software: CVE-2017-10051
Charles Fol of Ambionics: CVE-2017-10362
Christopher Tarquini: CVE-2017-10268
Cris Neckar of Divergent Security: CVE-2017-10154
Daniel Ekberg of Swedish Public Employment Service: CVE-2017-10321
Daniel Fröjdendahl: CVE-2017-10293
David Litchfield of Apple: CVE-2017-10292
Devin Rosenbauer of Identity Works LLC: CVE-2017-10352
Dmitrii Iudin aka @ret5et of ERPScan: CVE-2017-10373
Fabio Pires of NCC Group: CVE-2017-10310, CVE-2017-10312
Federico Dotta of Media Service: CVE-2017-10271
Francesco Palmarini of Ca' Foscari University of Venice: CVE-2017-10345, CVE-2017-10356
Gaston Traberg of Onapsis: CVE-2017-10281, CVE-2017-10332, CVE-2017-10347, CVE-2017-3444, CVE-2017-3445, CVE-2017-3446
Hassan El Hadary - Secure Misr: CVE-2017-10363
Jakub Palaczynski of ING Services Polska: CVE-2017-10034
Jared McLaren of SecureWorks: CVE-2017-10259
Jeffrey Altman of Secure Endpoints Inc.: CVE-2017-10388
Joshua Graham of Datacom TSS: CVE-2017-10379
José Carlos Expósito Bueno of Internet Security Auditors: CVE-2017-10163
Juan Pablo Perez Etchegoyen of Onapsis: CVE-2017-10066, CVE-2017-10324, CVE-2017-10325, CVE-2017-10328, CVE-2017-10329, CVE-2017-10330, CVE-2017-10331, CVE-2017-10336
loopx9: CVE-2017-10352
Lukasz Mikula: CVE-2017-10060
Léa Nuel of NES: CVE-2017-10055
Marcin Wołoszyn of ING Services Polska: CVE-2017-10163, CVE-2017-10312, CVE-2017-10358, CVE-2017-10359
Marco Squarcina of Ca' Foscari University of Venice: CVE-2017-10345, CVE-2017-10356
Martin Doyhenard of Onapsis: CVE-2017-10322, CVE-2017-10326, CVE-2017-10332
Mathew Nash of NCC Group: CVE-2017-10310, CVE-2017-10312
Matias Mevied of Onapsis: CVE-2017-10323, CVE-2017-3444, CVE-2017-3445, CVE-2017-3446
Mauro Tempesta of Ca' Foscari University of Venice: CVE-2017-10345, CVE-2017-10356
Ming Yi Ang of SourceClear: CVE-2017-10385, CVE-2017-10391, CVE-2017-10393, CVE-2017-10400
Nikita Egorov of ERPScan: CVE-2017-10304, CVE-2017-10306
Orange Tsai: CVE-2017-10295
Owais Mehtab of IS: CVE-2017-10026, CVE-2017-10259
Reno Robert: CVE-2017-10392, CVE-2017-10407, CVE-2017-10408, CVE-2017-10428
Riccardo Focardi of Ca' Foscari University of Venice: CVE-2017-10345, CVE-2017-10356
Sebastian Cornejo of SIA Group: CVE-2017-10033
Spyridon Chatzimichail of OTE Hellenic Telecommunications Organization S.A.: CVE-2017-10152
Steven Seeley of Source Incite: CVE-2017-10309
Tamas Szakaly: CVE-2017-10309
Tayeeb Rana of IS: CVE-2017-10026, CVE-2017-10259
Tobias Ospelt of modzero: CVE-2017-10356
Tor Erling Bjorstad of Mnemonic AS: CVE-2017-10060
Travis Emmert of Exodus Intelligence: CVE-2017-10369
Travis Emmert of Synack Red Team: CVE-2017-10364
Tushar Parab: CVE-2017-10159
Vahagn Vardanyan of ERPScan: CVE-2017-10366, CVE-2017-10409, CVE-2017-10410, CVE-2017-10411, CVE-2017-10412, CVE-2017-10413, CVE-2017-10414, CVE-2017-10415, CVE-2017-10416, CVE-2017-10417
Vicente Motos of SIA Group: CVE-2017-10033
Zakaria Amous: CVE-2017-10261

Security-In-Depth Contributors

Oracle acknowledges people who have contributed to our Security-In-Depth program (see FAQ). People are acknowledged for Security-In-Depth contributions if they provide information, observations or suggestions pertaining to security vulnerability issues that result in significant modification of Oracle code or documentation in future releases, but are not of such a critical nature that they are distributed in Critical Patch Updates.

In this Critical Patch Update Advisory, Oracle recognizes the following for contributions to Oracle's Security-In-Depth program.:

Andreev Ivan
Ian Haken
Jayson Grace of Sandia National Laboratories
Juan Pablo Perez Etchegoyen of Onapsis
Mohammad Abdullah - ErrOr SquaD Bangladesh
Or Hanuka of Motorola Solutions
Steven Danneman of Security Innovation
Tansel ÇETİN
Tzachy Horesh of Motorola Solutions

On-Line Presence Security Contributors

Oracle acknowledges people who have contributed to our On-Line Presence Security program (see FAQ). People are acknowledged for contributions relating to Oracle's on-line presence if they provide information, observations or suggestions pertaining to security-related issues that result in significant modification to Oracle's on-line external-facing systems.

For this quarter, Oracle recognizes the following for contributions to Oracle's On-Line Presence Security program:

Abdelfattah Ibrahim
Abhineeti Singh
Adam Willard of Blue Canopy
Ahsan Khan
Ali Ardic
Athul Jayaram
Berk İmran
Doğukan Karaciğer
Emad Shanab of Emad Abou Shanab
Karthik Reddy
Krishna Manoj Vandavasi
Lecamen Nartatez
Muhammad Osama
Mushraf Mustafa (3 reports)
Pal Patel
S. Venkatesh
SaifAllah benMassaoud
Teemu Kääriäinen
Vinod Kurup
Yassine Nafiai
Çağatay Çalı

Critical Patch Update Schedule

Critical Patch Updates are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

16 January 2018
17 April 2018
17 July 2018
16 October 2018

References

Oracle Critical Patch Updates and Security Alerts main page [ Oracle Technology Network ]
Critical Patch Update - October 2017 Documentation Map [ My Oracle Support Note ]
Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions [ CPU FAQ ]
Use of Common Vulnerability Scoring System (CVSS) by Oracle [ Oracle CVSS Scoring ]
English text version of the risk matrices [ Oracle Technology Network ]
List of public vulnerabilities fixed in Critical Patch Updates and Security Alerts [ Oracle Technology Network ]

Modification History

Date	Note
2017-October-26	Rev 3. Credit Statement Update; Affected versions update for CVE-2017-10065; CVSS score update for CVE-2017-10396.
2017-October-19	Rev 2. Credit Statement Update.
2017-October-17	Rev 1. Initial Release.

Appendix - Oracle Database Server

Oracle Database Server Executive Summary

This Critical Patch Update contains 6 new security fixes for the Oracle Database Server. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these fixes are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.

Oracle Database Server Risk Matrix

CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	Supported Versions Affected	Notes
CVE#	Component	Package and/or Privilege Required	Protocol	Remote Exploit without Auth.?	Supported Versions Affected	Notes	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2017-10321	Core RDBMS	Create session	Oracle Net	No	8.8	Local	Low	Low	None	Changed	High	High	High	11.2.0.4, 12.1.0.2, 12.2.0.1	See Note 1
CVE-2016-6814	Spatial (Apache Groovy)	None	Multiple	Yes	8.3	Network	High	None	Required	Changed	High	High	High	12.2.0.1	See Note 2
CVE-2017-10190	Java VM	Create Session, Create Procedure	Multiple	No	8.2	Local	Low	High	None	Changed	High	High	High	11.2.0.4, 12.1.0.2, 12.2.0.1
CVE-2016-8735	WLM (Apache Tomcat)	None	Multiple	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	12.2.0.1
CVE-2017-10261	XML Database	Create Session	Oracle Net	No	6.5	Local	Low	Low	None	Changed	High	None	None	11.2.0.4, 12.1.0.2	See Note 3
CVE-2017-10292	RDBMS Security	Create User	Oracle Net	No	2.3	Local	Low	High	None	Un- changed	None	Low	None	11.2.0.4, 12.1.0.2, 12.2.0.1

Notes:

This score is for Windows platform version 11.2.0.4 of Database. For Windows platform version 12.1.0.2 and Linux, the score is 7.8 with scope Unchanged.
Component installed optionally. Not in the default installation.
This score is for Windows platform version 11.2.0.4 of Database. For Windows platform version 12.1.0.2 and Linux, the score is 5.5 with scope Unchanged.

Additional CVEs addressed are below:

The fix for CVE-2016-8735 also addresses CVE-2016-6816 and CVE-2016-8745

Appendix - Oracle Communications Applications

Oracle Communications Applications Executive Summary

This Critical Patch Update contains 23 new security fixes for Oracle Communications Applications. 18 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Communications Applications Risk Matrix

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Supported Versions Affected	Notes	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2017-5461	Oracle Communications Messaging Server	Security (NSS)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	8.x
CVE-2016-5019	Oracle Communications Services Gatekeeper	Security (Apache Trinidad)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	5.1, 6.0
CVE-2015-0235	Oracle Communications User Data Repository	Security (glibc)	Multiple	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	10.x
CVE-2015-3253	Oracle Communications WebRTC Session Controller	Security (Apache Groovy)	HTTP	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	7.0, 7.1, 7.2
CVE-2015-0235	Oracle Communications WebRTC Session Controller	Media (glibc)	TLS	Yes	9.8	Network	Low	None	None	Un- changed	High	High	High	7.0, 7.1, 7.2
CVE-2015-7501	Oracle Communications WebRTC Session Controller	Security (Apache Commons Collections)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	7.0, 7.1, 7.2
CVE-2016-0635	Oracle Communications WebRTC Session Controller	Security (Spring)	HTTP	No	8.8	Network	Low	Low	None	Un- changed	High	High	High	7.0, 7.1, 7.2
CVE-2016-2107	Oracle Communications WebRTC Session Controller	Security (OpenSSL)	TLS	Yes	8.2	Network	Low	None	None	Un- changed	Low	None	High	7.0, 7.1, 7.2
CVE-2014-0224	Tekelec HLR Router	Security (OpenSSL)	TLS	Yes	8.1	Network	High	None	None	Un- changed	High	High	High	4.x
CVE-2016-7052	Oracle Communications Diameter Signaling Router (DSR)	OAM and Signaling (OpenSSL)	TLS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	7.x
CVE-2016-6304	Oracle Communications Unified Session Manager	Routing (OpenSSL)	TLS	Yes	7.5	Network	Low	None	None	Un- changed	None	None	High	SCz 7.x
CVE-2014-0114	Oracle Communications WebRTC Session Controller	Media (BeanUtils)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	7.0, 7.1, 7.2
CVE-2014-0107	Oracle Communications WebRTC Session Controller	Security (Xalan)	HTTP	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	7.0, 7.1, 7.2
CVE-2014-4345	Oracle Communications WebRTC Session Controller	Security (Kerberos)	Multiple	Yes	7.3	Network	Low	None	None	Un- changed	Low	Low	Low	7.0, 7.1, 7.2
CVE-2015-7501	Oracle Communications Order and Service Management	Security (Apache Commons Collections)	Multiple	Yes	7.1	Network	Low	None	Required	Changed	Low	Low	Low	7.2.4.x.x, 7.3.0.x.x, 7.3.1.x.x, 7.3.5.x.x
CVE-2016-2381	Oracle Communications Billing and Revenue Management	Security (Perl)	Multiple	No	6.5	Network	Low	Low	None	Un- changed	None	High	None	7.5
CVE-2017-10153	Oracle Communications WebRTC Session Controller	Security (Gson)	Multiple	No	6.3	Network	High	Low	None	Changed	None	None	High	7.0, 7.1, 7.2
CVE-2017-10159	Oracle Communications Policy Management	Portal, CMP	HTTP	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.5, 12.x
CVE-2017-3732	Oracle Communications EAGLE LNP Application Processor	Patches (OpenSSL)	TLS	Yes	5.9	Network	High	None	None	Un- changed	High	None	None	10.x
CVE-2014-3538	Oracle Communications WebRTC Session Controller	Security (file)	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	7.0, 7.1, 7.2
CVE-2014-8714	Oracle Communications WebRTC Session Controller	Security (Wireshark)	Multiple	Yes	5.3	Network	Low	None	None	Un- changed	None	None	Low	7.0, 7.1, 7.2
CVE-2014-0062	Oracle Communications WebRTC Session Controller	Security (Postgresql)	Multiple	No	4.2	Network	High	Low	None	Un- changed	Low	Low	None	7.0, 7.1, 7.2
CVE-2014-3707	Oracle Communications WebRTC Session Controller	Security (libcurl)	HTTP	Yes	3.7	Network	High	None	None	Un- changed	Low	None	None	7.0, 7.1, 7.2

Additional CVEs addressed are below:

The fix for CVE-2014-0062 also addresses CVE-2014-0060
The fix for CVE-2014-0224 also addresses CVE-2014-0076, CVE-2014-0195, CVE-2014-0198, CVE-2014-0221, CVE-2014-3470 and CVE-2014-3571
The fix for CVE-2014-3538 also addresses CVE-2014-3587
The fix for CVE-2014-3707 also addresses CVE-2014-3613
The fix for CVE-2014-4345 also addresses CVE-2014-4342
The fix for CVE-2014-8714 also addresses CVE-2014-8713
The fix for CVE-2015-7501 also addresses CVE-2015-4582
The fix for CVE-2016-2107 also addresses CVE-2015-0207, CVE-2015-0208, CVE-2015-0209, CVE-2015-0285, CVE-2015-0286, CVE-2015-0287, CVE-2015-0288, CVE-2015-0289, CVE-2015-0290, CVE-2015-0291, CVE-2015-0292, CVE-2015-0293, CVE-2015-1787, CVE-2015-1793 and CVE-2015-3195
The fix for CVE-2016-6304 also addresses CVE-2016-2177, CVE-2016-2178, CVE-2016-2179, CVE-2016-2180, CVE-2016-2181, CVE-2016-2182, CVE-2016-2183, CVE-2016-6302, CVE-2016-6303 and CVE-2016-6306
The fix for CVE-2016-7052 also addresses CVE-2014-0224, CVE-2014-3569, CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275, CVE-2015-0204, CVE-2015-0205, CVE-2015-0206, CVE-2015-0207, CVE-2015-0208, CVE-2015-0209, CVE-2015-0285, CVE-2015-0286, CVE-2015-0287, CVE-2015-0288, CVE-2015-0289, CVE-2015-0290, CVE-2015-0291, CVE-2015-0292, CVE-2015-0293, CVE-2015-1787, CVE-2015-1788, CVE-2015-1789, CVE-2015-1790, CVE-2015-1791, CVE-2015-1792, CVE-2015-3193, CVE-2015-3194, CVE-2015-3195, CVE-2015-3196, CVE-2015-3197, CVE-2016-0701, CVE-2016-2177, CVE-2016-2178, CVE-2016-2179, CVE-2016-2180, CVE-2016-2181, CVE-2016-2182, CVE-2016-2183, CVE-2016-6302, CVE-2016-6303, CVE-2016-6304, CVE-2016-6305, CVE-2016-6306, CVE-2016-6307 and CVE-2016-6308
The fix for CVE-2017-5461 also addresses CVE-2015-7181, CVE-2015-7182, CVE-2015-7183, CVE-2015-7575, CVE-2016-1950, CVE-2016-1979, CVE-2016-2834, CVE-2016-5285, CVE-2017-5462 and CVE-2017-7502

Appendix - Oracle Construction and Engineering Suite

Oracle Construction and Engineering Suite Executive Summary

This Critical Patch Update contains 1 new security fix for the Oracle Construction and Engineering Suite. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Construction and Engineering Suite Risk Matrix

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Supported Versions Affected	Notes	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2016-6814	Primavera Unifier	Platform (Apache Groovy)	HTTP	Yes	9.6	Network	Low	None	Required	Changed	High	High	High	9.13, 9.14, 10.x, 15.x, 16.x,

Appendix - Oracle E-Business Suite

Oracle E-Business Suite Executive Summary

This Critical Patch Update contains 26 new security fixes for the Oracle E-Business Suite. 25 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle E-Business Suite Risk Matrix

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Supported Versions Affected	Notes	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2017-10330	Oracle Common Applications	Gantt Server	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2017-10329	Oracle Global Order Promising	Reschedule Sales Orders	HTTP	Yes	9.1	Network	Low	None	None	Un- changed	High	High	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2017-10416	Oracle Advanced Outbound Telephony	Setup and Configuration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2017-10417	Oracle Advanced Outbound Telephony	Setup and Configuration	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2017-10325	Oracle Common Applications Calendar	Applications Calendar	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2017-10326	Oracle Common Applications Calendar	Applications Calendar	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2017-10303	Oracle Interaction Center Intelligence	Setup	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3
CVE-2017-10414	Oracle iStore	Checkout and Order Placement	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2017-10409	Oracle iStore	Merchant UI	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2017-10415	Oracle iSupport	Others	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2017-10410	Oracle Knowledge Management	Search	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2017-10411	Oracle Knowledge Management	User Interface	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2017-10412	Oracle Knowledge Management	User Interface	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2017-10413	Oracle Mobile Field Service	Multiplatform Based on HTML5	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2017-3444	Oracle Trade Management	User Interface	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6
CVE-2017-3445	Oracle Trade Management	User Interface	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6
CVE-2017-3446	Oracle Trade Management	User Interface	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6
CVE-2017-10323	Oracle Web Applications Desktop Integrator	Application Service	HTTP	Yes	8.2	Network	Low	None	Required	Changed	High	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6
CVE-2017-10328	Oracle Application Object Library	Diagnostics	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2017-10332	Oracle Universal Work Queue	Administration	HTTP	Yes	7.5	Network	Low	None	None	Un- changed	High	None	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2017-10077	Oracle Applications DBA	AD Utilities	HTTP	No	6.5	Network	Low	High	None	Un- changed	High	High	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2017-10331	Oracle Application Object Library	Diagnostics	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2017-10324	Oracle Applications Technology Stack	Oracle Forms	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	Low	None	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2017-10066	Oracle Applications Technology Stack	Oracle Forms	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	Low	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2017-10322	Oracle Common Applications Calendar	Applications Calendar	HTTP	Yes	5.3	Network	Low	None	None	Un- changed	None	Low	None	12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
CVE-2017-10387	Oracle CRM Technical Foundation	Preferences	HTTP	Yes	4.3	Network	Low	None	Required	Un- changed	None	Low	None	12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7

Appendix - Oracle Enterprise Manager Grid Control

Oracle Enterprise Manager Grid Control Executive Summary

This Critical Patch Update contains 1 new security fix for Oracle Enterprise Manager Grid Control. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. This fix is not applicable to client-only installations, i.e., installations that do not have Oracle Enterprise Manager Grid Control installed. The English text form of this Risk Matrix can be found here.

Oracle Enterprise Manager Grid Control Risk Matrix

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Supported Versions Affected	Notes	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2016-6814	Oracle Enterprise Manager Ops Center	Networking (Apache Groovy)	HTTP	Yes	9.6	Network	Low	None	Required	Changed	High	High	High	12.2.2, 12.3.2

Appendix - Oracle Financial Services Applications

Oracle Financial Services Applications Executive Summary

This Critical Patch Update contains 1 new security fix for Oracle Financial Services Applications. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Financial Services Applications Risk Matrix

CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Supported Versions Affected	Notes
CVE#	Product	Component	Protocol	Remote Exploit without Auth.?	Supported Versions Affected	Notes	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability
CVE-2017-10363	Oracle FLEXCUBE Universal Banking	Security	HTTP	No	7.1	Network	Low	Low	None	Un- changed	High	Low	None	11.3, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0	See Note 1