Download The Surveyor For Mac 8.0.7

  • Storing employee information 3 5 2 0.8 0.7 12.Keep track of books 2 3 2 3 0.5 0.5 13 add a new book 3 1 3 2 1 0.4 0.4 14 Delete a book 5 1 4 0.6 0.5 35. For librarymanagementsystem Arslan nazim 0397 Umair ul islam 0473 Sagheer khan 0479 M fawad Akhtar0495 Ikhlas umer0398 Date 4/14/20179:40AM Page 35 15 Update 4 5 1 0.4 0.5 16 View all books 3 5.
  • Let us know how we are doing and how you use our drivers by taking our pulse survey: Install. On Linux and macOS run the commands below: sudo pecl install sqlsrv-5.9.0 sudo pecl install pdosqlsrv-5.9.0; To download Windows DLLs for PHP 7.3 or above from the PECL repository, please navigate to SQLSRV or PDOSQLSRV.

Oracle Critical Patch Update Advisory - January 2021

Documentaries to Download. Tales from the Green Valley (2005) Error: please try again. A historical documentary TV series in 12 parts, first shown on BBC2 in autumn 2005 and it follows historians and archaeologists as they recreate farm life from the age of the Stuarts.

Description

A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches address vulnerabilities in Oracle code and in third-party components included in Oracle products. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update Advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security patches. Refer to “Critical Patch Updates, Security Alerts and Bulletins” for information about Oracle Security advisories.

Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay.

This Critical Patch Update contains 329 new security patches across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located atJanuary 2021 Critical Patch Update: Executive Summary and Analysis.

Please note that since the release of the October 2020 Critical Patch Update, Oracle has released a Security Alert for Oracle WebLogic Server: CVE-2020-14750 (November 1, 2020). Customers are strongly advised to apply this Critical Patch Update, which includes patches for this Alert as well as additional patches.

Affected Products and Patch Information

Security vulnerabilities addressed by this Critical Patch Update affect the products listed below. The product area is shown in the Patch Availability Document column.

Please click on the links in the Patch Availability Document column below to access the documentation for patch availability information and installation instructions.

Affected Products and VersionsPatch Availability Document
Business Intelligence Enterprise Edition, versions 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0Fusion Middleware
Enterprise Manager Base Platform, versions 13.2.1.0, 13.3.0.0, 13.4.0.0Enterprise Manager
Enterprise Manager for Fusion Applications, version 13.3.0.0Enterprise Manager
Enterprise Manager Ops Center, version 12.4.0.0Enterprise Manager
Hyperion Financial Reporting, version 11.1.2.4Fusion Middleware
Hyperion Infrastructure Technology, version 11.1.2.4Fusion Middleware
Instantis EnterpriseTrack, versions 17.1-17.3Oracle Construction and Engineering Suite
JD Edwards EnterpriseOne Orchestrator, versions prior to 9.2.5.1JD Edwards
JD Edwards EnterpriseOne Tools, versions prior to 9.2.5.0JD Edwards
MySQL Client, versions 5.6.50 and prior, 5.7.32 and prior, 8.0.22 and priorMySQL
MySQL Enterprise Monitor, versions 8.0.22 and priorMySQL
MySQL Server, versions 5.6.50 and prior, 5.7.32 and prior, 8.0.22 and priorMySQL
MySQL Workbench, versions 8.0.22 and priorMySQL
Oracle Adaptive Access Manager, version 11.1.2.3.0Fusion Middleware
Oracle Agile Engineering Data Management, version 6.2.1.0Oracle Supply Chain Products
Oracle Agile PLM, versions 9.3.5, 9.3.6Oracle Supply Chain Products
Oracle Agile Product Lifecycle Management for Process, version 6.1Oracle Supply Chain Products
Oracle Application Express Opportunity Tracker, versions prior to 20.2Database
Oracle Application Express Survey Builder, versions prior to 20.2Database
Oracle Application Testing Suite, version 13.3.0.1Enterprise Manager
Oracle Argus Safety, version 8.2.2Health Sciences
Oracle BAM (Business Activity Monitoring), versions 11.1.1.9.0, 12.2.1.3.0Fusion Middleware
Oracle Banking Corporate Lending Process Management, versions 14.1.0, 14.3.0, 14.4.0Oracle Financial Services Applications
Oracle Banking Credit Facilities Process Management, versions 14.1.0, 14.3.0, 14.4.0Oracle Financial Services Applications
Oracle Banking Extensibility Workbench, versions 14.3.0, 14.4.0Oracle Financial Services Applications
Oracle Banking Liquidity Management, versions 14.0.0-14.4.0Oracle Financial Services Applications
Oracle Banking Payments, version 14.4.0Oracle Financial Services Applications
Oracle Banking Platform, versions 2.4.0, 2.4.1, 2.6.2, 2.7.0, 2.7.1, 2.8.0, 2.9.0Oracle Banking Platform
Oracle Banking Supply Chain Finance, versions 14.2.0-14.4.0Oracle Financial Services Applications
Oracle Banking Trade Finance Process Management, versions 14.1.0, 14.3.0, 14.4.0Oracle Financial Services Applications
Oracle Banking Virtual Account Management, versions 14.1.0, 14.3.0, 14.4.0Oracle Financial Services Applications
Oracle BI Publisher, versions 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0Fusion Middleware
Oracle Business Intelligence Enterprise Edition, versions 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0Fusion Middleware
Oracle Business Process Management Suite, versions 12.2.1.3.0, 12.2.1.4.0Fusion Middleware
Oracle Coherence, versions 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0Fusion Middleware
Oracle Communications Application Session Controller, version 3.9m0p2Oracle Communications Application Session Controller
Oracle Communications ASAP, version 7.3Oracle Communications ASAP
Oracle Communications BRM - Elastic Charging Engine, versions 11.3.0.9, 12.0.0.3Oracle Communications BRM - Elastic Charging Engine
Oracle Communications Calendar Server, version 8.0.0.4.0Oracle Communications Calendar Server
Oracle Communications Contacts Server, version 8.0.0.5.0Oracle Communications Contacts Server
Oracle Communications Diameter Signaling Router (DSR), versions 8.0.0-8.2.2Oracle Communications Diameter Signaling Router
Oracle Communications Element Manager, versions 8.2.1.0-8.2.2.1Oracle Communications Element Manager
Oracle Communications MetaSolv Solution, versions 6.3.0-6.3.1Oracle Communications MetaSolv Solution
Oracle Communications Network Charging and Control, versions 6.0.1, 12.0.2Oracle Communications Network Charging and Control
Oracle Communications Operations Monitor, versions 3.4, 4.1, 4.2, 4.3Oracle Communications Operations Monitor
Oracle Communications Performance Intelligence Center (PIC) Software, version 10.4.0.2Oracle Communications Performance Intelligence Center (PIC) Software
Oracle Communications Session Report Manager, versions 8.2.1.0-8.2.2.1Oracle Communications Session Report Manager
Oracle Complex Maintenance, Repair, and Overhaul, versions 11.5.10, 12.1, 12.2Oracle Supply Chain Products
Oracle Configurator, versions 12.1, 12.2Oracle Supply Chain Products
Oracle Data Integrator, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0Fusion Middleware
Oracle Database Server, versions 12.1.0.2, 12.2.0.1, 18c, 19cDatabase
Oracle E-Business Suite, versions 12.1.1-12.1.3, 12.2.3-12.2.10E-Business Suite
Oracle Endeca Information Discovery Integrator, version 3.2.0.0Fusion Middleware
Oracle Enterprise Communications Broker, versions 3.1, 3.2Oracle Enterprise Communications Broker
Oracle Enterprise Data Quality, versions 11.1.1.9.0, 12.2.1.3.0Fusion Middleware
Oracle Enterprise Repository, version 11.1.1.7.0Fusion Middleware
Oracle Financial Services Analytical Applications Infrastructure, versions 8.0.6-8.1.0Oracle Financial Services Analytical Applications Infrastructure
Oracle Financial Services Asset Liability Management, versions 8.0.7, 8.1.0Oracle Financial Services Asset Liability Management
Oracle Financial Services Data Integration Hub, versions 8.0.3, 8.0.6Oracle Financial Services Data Integration Hub
Oracle Financial Services Funds Transfer Pricing, versions 8.0.6, 8.0.7, 8.1.0Oracle Financial Services Funds Transfer Pricing
Oracle Financial Services Market Risk Measurement and Management, version 8.0.6Oracle Financial Services Market Risk Measurement and Management
Oracle Financial Services Profitability Management, versions 8.0.6, 8.0.7, 8.1.0Oracle Financial Services Profitability Management
Oracle Financial Services Revenue Management and Billing, versions 2.9.0.0, 2.9.0.1Oracle Financial Services Revenue Management and Billing
Oracle FLEXCUBE Core Banking, versions 11.5.0-11.9.0Oracle Financial Services Applications
Oracle FLEXCUBE Universal Banking, version 14.4.0Oracle Financial Services Applications
Oracle Fusion Middleware MapViewer, version 12.2.1.3.0Fusion Middleware
Oracle Global Lifecycle Management OPatchFusion Middleware
Oracle Global Lifecycle ManagerGlobal Lifecycle Management
Oracle GoldenGate Application Adapters, version 19.1.0.0.0Fusion Middleware
Oracle GraalVM Enterprise Edition, versions 19.3.4, 20.3.0Oracle GraalVM Enterprise Edition
Oracle Health Sciences Information Manager, version 3.0.1Health Sciences
Oracle Healthcare Master Person Index, version 4.0.2.5Health Sciences
Oracle Hospitality Reporting and Analytics, version 9.1.0Oracle Hospitality Reporting and Analytics
Oracle Hospitality Simphony, versions 18.2.7.2, 19.1.3Oracle Hospitality Simphony
Oracle Insurance Allocation Manager for Enterprise Profitability, version 8.1.0Oracle Insurance Allocation Manager for Enterprise Profitability
Oracle Insurance Insbridge Rating and Underwriting, versions 5.0.0.20, 5.1.1.3Oracle Insurance Applications
Oracle Insurance Policy Administration, versions 10.2.0, 10.2.4, 11.0.2, 11.1.0-11.3.0Oracle Insurance Applications
Oracle Insurance Rules Palette, versions 10.2.0, 10.2.4, 11.0.2, 11.1.0-11.3.0Oracle Insurance Applications
Oracle Java SE, versions 7u281, 8u271Java SE
Oracle Java SE Embedded, version 8u271Java SE
Oracle Managed File Transfer, versions 12.2.1.3.0, 12.2.1.4.0Fusion Middleware
Oracle Outside In Technology, versions 8.5.4, 8.5.5Fusion Middleware
Oracle Real-Time Decision Server, version 3.2.1.0Fusion Middleware
Oracle Retail Assortment Planning, version 16.0.3Retail Applications
Oracle Retail Bulk Data Integration, versions 15.0.3, 16.0.3Retail Applications
Oracle Retail Customer Management and Segmentation Foundation, versions 16.0, 17.0, 18.0, 19.0Retail Applications
Oracle Retail Extract Transform and Load, versions 13.2.5, 13.2.8Retail Applications
Oracle Retail Financial Integration, versions 14.1.3, 15.0.3, 16.0.3Retail Applications
Oracle Retail Integration Bus, versions 14.1.3, 15.0.3, 16.0.3Retail Applications
Oracle Retail Invoice Matching, versions 13.2, 14.0, 14.1Retail Applications
Oracle Retail Merchandising System, version 15.0Retail Applications
Oracle Retail Order Broker, versions 15.0, 16.0Retail Applications
Oracle Retail Order Broker Cloud Service, version 15.0Retail Applications
Oracle Retail Sales Audit, version 14.1Retail Applications
Oracle Retail Service Backbone, versions 14.1.3, 15.0.3, 16.0.3Retail Applications
Oracle Retail Store Inventory Management, versions 14.0.4.0, 14.1.3.0, 14.1.3.9, 15.0.3.0, 16.0.3.0Retail Applications
Oracle SD-WAN Edge, version 9.0Oracle SD-WAN Edge
Oracle Secure BackupOracle Secure Backup
Oracle Transportation Management, version 1.4.3Oracle Supply Chain Products
Oracle Utilities Framework, versions 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0-4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0Oracle Utilities Applications
Oracle VM VirtualBox, versions prior to 6.1.18Virtualization
Oracle WebCenter Portal, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0Fusion Middleware
Oracle WebCenter Sites, versions 12.2.1.3.0, 12.2.1.4.0Fusion Middleware
Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0Fusion Middleware
Oracle ZFS Storage Appliance Kit, version 8.8Systems
PeopleSoft Enterprise FIN Payables, version 9.2PeopleSoft
PeopleSoft Enterprise HCM Human Resources, version 9.2PeopleSoft
PeopleSoft Enterprise PeopleTools, versions 8.56, 8.57, 8.58PeopleSoft
Primavera Gateway, versions 16.2.0-16.2.11, 17.12.0-17.12.9, 18.8.0-18.8.10, 19.12.0-19.12.10Oracle Construction and Engineering Suite
Primavera P6 Enterprise Project Portfolio Management, versions 16.1.0-16.2.20, 17.1.0-17.12.19, 18.1.0-18.8.21, 19.12.0-19.12.10Oracle Construction and Engineering Suite
Primavera Unifier, versions 16.1, 16.2, 17.7-17.12, 18.8, 19.12, 20.12Oracle Construction and Engineering Suite
Siebel Applications, versions 20.12 and priorSiebel
StorageTek Tape Analytics SW Tool, version 2.3.1Systems

Note:

  • Vulnerabilities affecting either Oracle Database or Oracle Fusion Middleware may affect Oracle Fusion Applications, so Oracle customers should refer to Oracle Fusion Applications Critical Patch Update Knowledge Document, My Oracle Support Note 1967316.1 for information on patches to be applied to Fusion Application environments.
  • Vulnerabilities affecting Oracle Solaris may affect Oracle ZFSSA so Oracle customers should refer to the Oracle and Sun Systems Product Suite Critical Patch Update Knowledge Document, My Oracle Support Note 2160904.1 for information on minimum revisions of security patches required to resolve ZFSSA issues published in Critical Patch Updates and Solaris Third Party bulletins.
  • Solaris Third Party Bulletins are used to announce security patches for third party software distributed with Oracle Solaris. Solaris 10 customers should refer to the latest patch-sets which contain critical security fixes and detailed in Systems Patch Availability Document. Please see Reference Index of CVE IDs and Solaris Patches (My Oracle Support Note 1448883.1) for more information.
  • Users running Java SE with a browser can download the latest release from https://java.com. Users on the Windows and Mac OS X platforms can also use automatic updates to get the latest release.

Risk Matrix Content

Risk matrices list only security vulnerabilities that are newly addressed by the patches associated with this advisory. Risk matrices for previous security patches can be found in previous Critical Patch Update advisories and Alerts. An English text version of the risk matrices provided in this document ishere.

Several vulnerabilities addressed in this Critical Patch Update affect multiple products. Each vulnerability is identified by a CVE# which is its unique identifier. A vulnerability that affects multiple products will appear with the same CVE# in all risk matrices. A CVE# shown in italics indicates that this vulnerability impacts a different product, but also has impact on the product where the italicized CVE# is listed.

Security vulnerabilities are scored using CVSS version 3.1 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS version 3.1).

Oracle conducts an analysis of each security vulnerability addressed by a Critical Patch Update. Oracle does not disclose detailed information about this security analysis to customers, but the resulting Risk Matrix and associated documentation provide information about the type of vulnerability, the conditions required to exploit it, and the potential impact of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage. For more information, see Oracle vulnerability disclosure policies.

Oracle lists updates that address vulnerabilities in third-party components which are not exploitable in the context of their inclusion in their respective Oracle product beneath the product's risk matrix.

The protocol in the risk matrix implies that all of its secure variants (if applicable) are affected as well. For example, if HTTP is listed as an affected protocol, it implies that HTTPS (if applicable) is also affected. The secure variant of a protocol is listed in the risk matrix only if it is the only variant affected, e.g. HTTPS will typically be listed for vulnerabilities in SSL and TLS.

Workarounds

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update security patches as soon as possible. Until you apply the Critical Patch Update patches, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem.

Skipped Critical Patch Updates

Oracle strongly recommends that customers apply security patches as soon as possible. For customers that have skipped one or more Critical Patch Updates and are concerned about products that do not have security patches announced in this Critical Patch Update, please review previous Critical Patch Update advisories to determine appropriate actions.

Critical Patch Update Supported Products and Versions

Patches released through the Critical Patch Update program are provided only for product versions that are covered under the Premier Support or Extended Support phases of theLifetime Support Policy. Oracle recommends that customers plan product upgrades to ensure that patches released through the Critical Patch Update program are available for the versions they are currently running.

Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Critical Patch Update. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.

Database, Fusion Middleware, and Oracle Enterprise Manager products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.

Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Critical Patch Update to Oracle:

  • 0rich1 of Ant Security FG Lab: CVE-2021-2109
  • 0xfoxone: CVE-2021-2068
  • Alessandro Bosco of TIM S.p.A: CVE-2021-2005
  • Alves Christopher of Telecom Nancy: CVE-2021-2006, CVE-2021-2010, CVE-2021-2011
  • Amey Anekar of CyberCube Services: CVE-2021-2052
  • Amy Tran: CVE-2021-2026, CVE-2021-2027
  • Andrej Simko of Accenture: CVE-2021-2077, CVE-2021-2078, CVE-2021-2079, CVE-2021-2080, CVE-2021-2082, CVE-2021-2083, CVE-2021-2084, CVE-2021-2085, CVE-2021-2090, CVE-2021-2091, CVE-2021-2092, CVE-2021-2093, CVE-2021-2094, CVE-2021-2096, CVE-2021-2097, CVE-2021-2098, CVE-2021-2099, CVE-2021-2100, CVE-2021-2101, CVE-2021-2102, CVE-2021-2103, CVE-2021-2104, CVE-2021-2105, CVE-2021-2106, CVE-2021-2107, CVE-2021-2114, CVE-2021-2115, CVE-2021-2118
  • Antonin B. of NCIA / NCSC: CVE-2021-2017
  • Bui Duong from Viettel Cyber Security: CVE-2021-2013, CVE-2021-2049, CVE-2021-2050, CVE-2021-2051
  • ChauUHM from Sacombank: CVE-2021-2062
  • ChenNan Of Chaitin Security Research Lab: CVE-2021-2086, CVE-2021-2111, CVE-2021-2112, CVE-2021-2119, CVE-2021-2120, CVE-2021-2121, CVE-2021-2125, CVE-2021-2126, CVE-2021-2129, CVE-2021-2131
  • Chi Tran: CVE-2021-2026, CVE-2021-2027
  • Chris Barnabo: CVE-2021-2128
  • Cl0und Syclover Security Team: CVE-2020-14756
  • Codeplutos of AntGroup FG Security Lab: CVE-2020-14756, CVE-2021-2075
  • DoHyun Lee of VirtualBoBs: CVE-2021-2086
  • Eddie Zhu of Beijing DBSEC Technology Co., Ltd: CVE-2021-2035, CVE-2021-2054
  • Edoardo Predieri of TIM S.p.A: CVE-2021-2005
  • Emad Al-Mousa working with Trend Micro Zero Day Initiative: CVE-2021-2054
  • Esteban Montes Morales of Accenture: CVE-2021-2089
  • Fabio Minarelli of TIM S.p.A: CVE-2021-2005
  • Francesco Russo of TIM S.p.A: CVE-2021-2005
  • Gaoning Pan of Zhejiang University & Ant Security Light-Year Lab: CVE-2021-2073, CVE-2021-2074, CVE-2021-2086, CVE-2021-2123, CVE-2021-2130
  • Girlelecta: CVE-2021-2066, CVE-2021-2067, CVE-2021-2069
  • Glassy of Alibaba Cloud Security Group: CVE-2021-2109
  • Hangfan Zhang: CVE-2021-2030
  • Julien Zhan of Telecom Nancy: CVE-2021-2006, CVE-2021-2010, CVE-2021-2011
  • JungHyun Kim (jidoc01) of VirtualBoBs: CVE-2021-2124
  • JunYoung Park and DongJun Shin of VirtualBoBs: CVE-2021-2127
  • Khuyen Nguyen of secgit.com: CVE-2021-2023
  • Kun Yang of Chaitin Security Research Lab: CVE-2021-2086, CVE-2021-2111, CVE-2021-2112, CVE-2021-2119, CVE-2021-2120, CVE-2021-2121, CVE-2021-2125, CVE-2021-2126, CVE-2021-2129, CVE-2021-2131
  • Longofo of Knownsec 404 Team: CVE-2021-2109
  • Luca Di Giuseppe of TIM S.p.A: CVE-2021-2005
  • Lukasz Plonka: CVE-2021-2063
  • Lukasz Rupala of ING Tech Poland: CVE-2021-2003
  • Maciej Grabiec of ING Tech Poland: CVE-2021-2063
  • Massimiliano Brolli of TIM S.p.A: CVE-2021-2005
  • Nam HaBach of NightSt0rm: CVE-2021-2034
  • Omur Ugur of Turk Telekom: CVE-2021-2003
  • Pawel Gocyla of ING Tech Poland: CVE-2021-2063
  • Philippe Antoine of Telecom Nancy: CVE-2021-2006, CVE-2021-2010, CVE-2021-2011
  • r00t4dm at Cloud-Penetrating Arrow Lab: CVE-2021-2109
  • Roberto Suggi Liverani of NCIA / NCSC: CVE-2021-2017
  • Rui Zhong: CVE-2021-2030
  • Rémi Badonnel of Telecom Nancy: CVE-2021-2010, CVE-2021-2011
  • Shimizu Kawasaki of DiDiGlobal Security Product Technology Department (Basic Security): CVE-2021-2109
  • Thiscodecc: CVE-2021-2047
  • Trung Le: CVE-2021-2026, CVE-2021-2027
  • Tuan Anh Nguyen of Viettel Cyber Security: CVE-2021-2025, CVE-2021-2029
  • Ved Prabhu: CVE-2021-2116, CVE-2021-2117
  • Xiayu Zhang of Tencent Keen Security Lab: CVE-2021-2064
  • Xingwei Lin of Ant Security Light-Year Lab: CVE-2021-2073, CVE-2021-2074, CVE-2021-2086, CVE-2021-2123, CVE-2021-2130
  • Xu Yuanzhen of Alibaba Cloud Security Team: CVE-2021-2109
  • Yakov Shafranovich of T. Rowe Price Associates, Inc.: CVE-2021-2018
  • Yaoguang Chen of Ant Security Light-Year Lab: CVE-2021-2055
  • Yongheng Chen: CVE-2021-2030
  • Yu Wang of BMH Security Team: CVE-2021-2108
  • Zhangyanyu of Chaitin Security Research Lab: CVE-2021-2131
  • Zouhair Janatil-Idrissi of Telecom Nancy: CVE-2021-2006, CVE-2021-2010, CVE-2021-2011

Security-In-Depth Contributors

Oracle acknowledges people who have contributed to our Security-In-Depth program (see FAQ). People are acknowledged for Security-In-Depth contributions if they provide information, observations or suggestions pertaining to security vulnerability issues that result in significant modification of Oracle code or documentation in future releases, but are not of such a critical nature that they are distributed in Critical Patch Updates.

In this Critical Patch Update, Oracle recognizes the following for contributions to Oracle's Security-In-Depth program.:

  • Markus Loewe [2 reports]
  • Salini Reus of Fiji Roads Authority

On-Line Presence Security Contributors

Oracle acknowledges people who have contributed to our On-Line Presence Security program (see FAQ). People are acknowledged for contributions relating to Oracle's on-line presence if they provide information, observations or suggestions pertaining to security-related issues that result in significant modification to Oracle's on-line external-facing systems.

For this quarter, Oracle recognizes the following for contributions to Oracle's On-Line Presence Security program:

  • Aakash Adhikari (dark_haxor)
  • Adam Willard [2 reports]
  • Ahlan S
  • Ahmed Alwardani
  • Ahmed Ouahabi
  • Anas Rahmani
  • Ayushmaan Banerjee
  • Boo
  • Bradley Baker
  • Bui Dinh Bao aka 0xd0ff9 of Zalo Security Team (VNG Corp)
  • Bui Duc Anh Khoa aka khoabda of Zalo Security Team (VNG Corp)
  • Christopher Hanlon
  • Fabien B
  • Flaviu Popescu
  • Hamoud Al-Helmani [2 reports]
  • Harpreet Singh
  • Harshal S. Sharma
  • Mahmoud ElSayed
  • Marwan Albahar [6 reports]
  • Matt Bushey
  • Mohammad Hosein Askari
  • Phan Quan of VNPT Information Security Center (VNPT ISC)
  • Prabharoop C.C. [2 reports]
  • Prashant Saini
  • Pratik Khalane
  • Purbasha Ghosh
  • Quan Doan of R&D Center - VinCSS LLC (a member of Vingroup) [5 reports]
  • Ram Kumar
  • Ratnadip Gajbhiye
  • Robert Kulig
  • Robert Lee Dick
  • Sarwar Abbas
  • Saurabh Dilip Mhatre
  • Shailesh Kumavat
  • Shivam Pandey
  • Tuan Anh Nguyen of Viettel Cyber Security
  • Virendra Singh Rathore

Critical Patch Update Schedule

Critical Patch Updates are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

  • 20 April 2021
  • 20 July 2021
  • 19 October 2021
  • 18 January 2022

References

Modification History

DateNote
2021-February-22Rev 3. Updated the affected versions for CVE-2021-2047
2021-January-25Rev 2. Update to Credit Statements.
2021-January-19Rev 1. Initial Release.

Oracle Database Server Risk Matrix

This Critical Patch Update contains 8 new security patches plus additional third party patches noted below for Oracle Database Products. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these patches are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.

CVE#ComponentPackage and/or Privilege RequiredProtocolRemote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)Supported Versions AffectedNotes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
ScopeConfid-
entiality
Inte-
grity
Avail-
ability
CVE-2021-2035RDBMS SchedulerExport Full DatabaseOracle NetNo8.8NetworkLowLowNoneUn-
changed
HighHighHigh12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2021-2018Advanced Networking OptionNoneOracle NetYes8.3NetworkHighNoneRequiredChangedHighHighHigh18c, 19cSee Note 1
CVE-2021-2054RDBMS ShardingCreate Any Procedure, Create Any View, Create Any TriggerOracle NetNo7.2NetworkLowHighNoneUn-
changed
HighHighHigh12.2.0.1, 18c, 19c
CVE-2021-2116Oracle Application Express Opportunity TrackerValid User AccountHTTPNo5.4NetworkLowLowRequiredChangedLowLowNonePrior to 20.2
CVE-2021-2117Oracle Application Express Survey BuilderValid User AccountHTTPNo5.4NetworkLowLowRequiredChangedLowLowNonePrior to 20.2
CVE-2021-1993Java VMCreate SessionOracle NetNo4.8NetworkHighLowRequiredUn-
changed
NoneHighNone12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2021-2045Oracle TextCreate SessionOracle NetNo3.1NetworkHighLowNoneUn-
changed
NoneNoneLow12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2021-2000Unified AuditSYS AccountOracle NetNo2.4NetworkLowHighRequiredUn-
changed
NoneLowNone12.1.0.2, 12.2.0.1, 18c, 19c

Notes:

  1. CVE-2021-2018 affects Windows platform only.

Additional patches are included in this Critical Patch Update for the following non-exploitable CVEs in this Oracle product family:

  • Perl: CVE-2020-10878, CVE-2020-10543 and CVE-2020-12723.

Oracle Global Lifecycle Management Risk Matrix

This Critical Patch Update contains no new security patches but does include third party patches noted below for Oracle Global Lifecycle Management. Please refer to previous Critical Patch Update Advisories if the last Critical Patch Update was not applied for Oracle Global Lifecycle Management. The English text form of this Risk Matrix can be found here.

CVE#ProductComponentProtocolRemote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)Supported Versions AffectedNotes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
ScopeConfid-
entiality
Inte-
grity
Avail-
ability

There are no exploitable vulnerabilities for these products.
Third party patches for non-exploitable CVEs are noted below.

Additional patches are included in this Critical Patch Update for the following non-exploitable CVEs in this Oracle product family:

  • Oracle Global Lifecycle Manager
    • Patch Installer (Apache Commons Compress): CVE-2019-12402.

Oracle Secure Backup Risk Matrix

This Critical Patch Update contains no new security patches but does include third party patches noted below for Oracle Secure Backup. Please refer to previous Critical Patch Update Advisories if the last Critical Patch Update was not applied for Oracle Secure Backup. The English text form of this Risk Matrix can be found here.

CVE#ProductComponentProtocolRemote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)Supported Versions AffectedNotes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
ScopeConfid-
entiality
Inte-
grity
Avail-
ability

There are no exploitable vulnerabilities for these products.
Third party patches for non-exploitable CVEs are noted below.

Additional patches are included in this Critical Patch Update for the following non-exploitable CVEs in this Oracle product family:

  • Oracle Secure Backup
    • User Interface (PHP): CVE-2020-7064.
    • Web Server (Apache HTTP Server): CVE-2020-11984, CVE-2020-11993 and CVE-2020-9490.

Oracle Communications Applications Risk Matrix

This Critical Patch Update contains 8 new security patches for Oracle Communications Applications. 6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#ProductComponentProtocolRemote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)Supported Versions AffectedNotes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
ScopeConfid-
entiality
Inte-
grity
Avail-
ability
CVE-2020-14195Oracle Communications Calendar ServerREST API (jackson-databind)HTTPYes8.1NetworkHighNoneNoneUn-
changed
HighHighHigh8.0.0.4.0
CVE-2020-14195Oracle Communications Contacts ServerREST API (jackson-databind)HTTPYes8.1NetworkHighNoneNoneUn-
changed
HighHighHigh8.0.0.5.0
CVE-2019-17566Oracle Communications MetaSolv SolutionPrint Preview (Apache Batik)HTTPYes7.5NetworkLowNoneNoneUn-
changed
NoneHighNone6.3.0-6.3.1
CVE-2020-13871Oracle Communications Network Charging and ControlCommon (SQLite)SQLYes7.5NetworkLowNoneNoneUn-
changed
NoneNoneHigh6.0.1, 12.0.2
CVE-2019-10086Oracle Communications BRM - Elastic Charging EngineCoherence Query (Apache Commons BeanUtils)TCP/IPYes7.3NetworkLowNoneNoneUn-
changed
LowLowLow11.3.0.9, 12.0.0.3
CVE-2019-10086Oracle Communications MetaSolv SolutionOnline Help (Apache Commons BeanUtils)HTTPYes7.3NetworkLowNoneNoneUn-
changed
LowLowLow6.3.0-6.3.1
CVE-2020-5421Oracle Communications BRM - Elastic Charging EngineOrchestration, Processor and Messages (Spring Framework)TCP/IPNo6.5NetworkHighLowRequiredChangedLowHighNone11.3.0.9, 12.0.0.3
CVE-2020-1945Oracle Communications ASAPCore (Apache Ant)NoneNo6.2LocalLowNoneNoneUn-
changed
HighNoneNone7.3

Additional CVEs addressed are:

  • The patch for CVE-2020-13871 also addresses CVE-2020-15358.
  • The patch for CVE-2020-14195 also addresses CVE-2020-14060, CVE-2020-14061 and CVE-2020-14062.
  • The patch for CVE-2020-1945 also addresses CVE-2017-5645.

Oracle Communications Risk Matrix

This Critical Patch Update contains 12 new security patches for Oracle Communications. 7 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#ProductComponentProtocolRemote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)Supported Versions AffectedNotes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
ScopeConfid-
entiality
Inte-
grity
Avail-
ability
CVE-2019-7164Oracle Communications Operations MonitorORMB DB Query in VSP (SQLAlchemy)HTTPYes9.8NetworkLowNoneNoneUn-
changed
HighHighHigh4.2, 4.3
CVE-2020-24750Oracle Communications Diameter Signaling Router (DSR)IDIH (jackson-databind)HTTPYes8.1NetworkHighNoneNoneUn-
changed
HighHighHigh8.0.0-8.2.2
CVE-2020-27216Oracle Communications Application Session ControllerCore (Eclipse Jetty)NoneNo7.8LocalLowLowNoneUn-
changed
HighHighHigh3.9m0p2
CVE-2020-27216Oracle Communications Element ManagerREST API (Eclipse Jetty)NoneNo7.8LocalLowLowNoneUn-
changed
HighHighHigh8.2.1.0-8.2.2.1
CVE-2020-14147Oracle Communications Operations MonitorIn-Memeory DB for FDP/VSP (Redis)HTTPNo7.7NetworkLowLowNoneChangedNoneNoneHigh3.4, 4.1, 4.2, 4.3
CVE-2019-17566Oracle Communications Application Session ControllerCore (Apache Batik)HTTPYes7.5NetworkLowNoneNoneUn-
changed
NoneHighNone3.9m0p2
CVE-2020-11080Oracle Enterprise Communications BrokerSystem (nghttp2)HTTPYes7.5NetworkLowNoneNoneUn-
changed
NoneNoneHigh3.1, 3.2
CVE-2019-10086Oracle Communications Diameter Signaling Router (DSR)IDIH (Apache Commons BeanUtils)HTTPYes7.3NetworkLowNoneNoneUn-
changed
LowLowLow8.0.0-8.2.2
CVE-2019-10086Oracle SD-WAN EdgeManagement (Apache Commons BeanUtils)HTTPYes7.3NetworkLowNoneNoneUn-
changed
LowLowLow9.0
CVE-2020-10723Oracle Enterprise Communications BrokerSystem (DPDK)NoneNo6.7LocalLowHighNoneUn-
changed
HighHighHigh3.1, 3.2
CVE-2020-5421Oracle Communications Session Report ManagerCore (Spring Framework)HTTPNo6.5NetworkHighLowRequiredChangedLowHighNone8.2.1.0-8.2.2.1
CVE-2019-1559Oracle Communications Performance Intelligence Center (PIC) SoftwareSecurity (OpenSSL)HTTPSYes5.9NetworkHighNoneNoneUn-
changed
HighNoneNone10.4.0.2

Additional CVEs addressed are:

  • The patch for CVE-2019-1559 also addresses CVE-2018-0732.
  • The patch for CVE-2019-7164 also addresses CVE-2019-7548.
  • The patch for CVE-2020-10723 also addresses CVE-2020-10722, CVE-2020-10724, CVE-2020-10725 and CVE-2020-10726.
  • The patch for CVE-2020-11080 also addresses CVE-2019-9511 and CVE-2019-9513.
  • The patch for CVE-2020-24750 also addresses CVE-2020-24616 and CVE-2020-9546.

Oracle Construction and Engineering Risk Matrix

Download The Surveyor For Mac 8.0.7 Serial

This Critical Patch Update contains 7 new security patches for Oracle Construction and Engineering. 5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#ProductComponentProtocolRemote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)Supported Versions AffectedNotes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
ScopeConfid-
entiality
Inte-
grity
Avail-
ability
CVE-2020-25020Primavera UnifierPlatform (MPXJ)HTTPYes9.8NetworkLowNoneNoneUn-
changed
HighHighHigh16.1, 16.2, 17.7-17.12, 18.8, 19.12, 20.12
CVE-2019-17566Instantis EnterpriseTrackDashboard module (Apache Batik)HTTPYes7.5NetworkLowNoneNoneUn-
changed
NoneHighNone17.1-17.3
CVE-2020-11979Primavera GatewayAdmin (Apache Ant)HTTPYes7.5NetworkLowNoneNoneUn-
changed
NoneHighNone16.2.0-16.2.11, 17.12.0-17.12.9
CVE-2020-11979Primavera UnifierCore, Config (Apache Ant)HTTPYes7.5NetworkLowNoneNoneUn-
changed
NoneHighNone16.1, 16.2, 17.7-17.12, 18.8, 19.12, 20.12
CVE-2019-10086Primavera UnifierCore (Apache Commons BeanUtils)HTTPYes7.3NetworkLowNoneNoneUn-
changed
LowLowLow16.1, 16.2, 17.7-17.12, 18.8, 19.12, 20.12
CVE-2020-5421Primavera GatewayAdmin (Spring Framework)HTTPNo6.5NetworkHighLowRequiredChangedLowHighNone16.2.0-16.2.11, 17.12.0-17.12.9, 18.8.0-18.8.10, 19.12.0-19.12.10
CVE-2020-5421Primavera P6 Enterprise Project Portfolio ManagementWeb access (Spring Framework)HTTPNo6.5NetworkHighLowRequiredChangedLowHighNone16.1.0-16.2.20, 17.1.0-17.12.19, 18.1.0-18.8.21, 19.12.0-19.12.10

Additional CVEs addressed are:

  • The patch for CVE-2020-25020 also addresses CVE-2020-35460.

Oracle E-Business Suite Risk Matrix

This Critical Patch Update contains 31 new security patches for Oracle E-Business Suite. 29 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security updates are not listed in the Oracle E-Business Suite risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle E-Business Suite products, Oracle recommends that customers apply the January 2021 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Oracle E-Business Suite. For information on what patches need to be applied to your environments, refer to Oracle E-Business Suite Release 12 Critical Patch Update Knowledge Document (January 2021), My Oracle Support Note 2737201.1.

CVE#ProductComponentProtocolRemote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)Supported Versions AffectedNotes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
ScopeConfid-
entiality
Inte-
grity
Avail-
ability
CVE-2021-2029Oracle ScriptingMiscellaneousHTTPYes9.8NetworkLowNoneNoneUn-
changed
HighHighHigh12.1.1-12.1.3, 12.2.3-12.2.8
CVE-2021-2100Oracle One-to-One FulfillmentPrint ServerHTTPYes9.1NetworkLowNoneNoneUn-
changed
HighHighNone12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2101Oracle One-to-One FulfillmentPrint ServerHTTPYes9.1NetworkLowNoneNoneUn-
changed
HighHighNone12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2093Oracle Common ApplicationsCRM User Management FrameworkHTTPYes8.2NetworkLowNoneRequiredChangedHighLowNone12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2114Oracle Common Applications CalendarApplications CalendarHTTPYes8.2NetworkLowNoneRequiredChangedHighLowNone12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2034Oracle Common Applications CalendarTasksHTTPYes8.2NetworkLowNoneRequiredChangedHighLowNone12.1.1-12.1.3
CVE-2021-2084Oracle CRM Technical FoundationPreferencesHTTPYes8.2NetworkLowNoneRequiredChangedHighLowNone12.1.3, 12.2.3-12.2.10
CVE-2021-2085Oracle CRM Technical FoundationPreferencesHTTPYes8.2NetworkLowNoneRequiredChangedHighLowNone12.1.3, 12.2.3-12.2.10
CVE-2021-2092Oracle CRM Technical FoundationPreferencesHTTPYes8.2NetworkLowNoneRequiredChangedHighLowNone12.1.3, 12.2.3-12.2.10
CVE-2021-2099Oracle CRM Technical FoundationPreferencesHTTPYes8.2NetworkLowNoneRequiredChangedHighLowNone12.2.3-12.2.10
CVE-2021-2105Oracle Customer Interaction HistoryOutcome-ResultHTTPYes8.2NetworkLowNoneRequiredChangedHighLowNone12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2106Oracle Customer Interaction HistoryOutcome-ResultHTTPYes8.2NetworkLowNoneRequiredChangedHighLowNone12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2107Oracle Customer Interaction HistoryOutcome-ResultHTTPYes8.2NetworkLowNoneRequiredChangedHighLowNone12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2090Oracle Email CenterMessage DisplayHTTPYes8.2NetworkLowNoneRequiredChangedHighLowNone12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2098Oracle Email CenterMessage DisplayHTTPYes8.2NetworkLowNoneRequiredChangedHighLowNone12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2089Oracle iStoreRuntime CatalogHTTPYes8.2NetworkLowNoneRequiredChangedHighLowNone12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2077Oracle iStoreShopping CartHTTPYes8.2NetworkLowNoneRequiredChangedHighLowNone12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2082Oracle iStoreShopping CartHTTPYes8.2NetworkLowNoneRequiredChangedHighLowNone12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2096Oracle iStoreShopping CartHTTPYes8.2NetworkLowNoneRequiredChangedHighLowNone12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2097Oracle iSupportProfileHTTPYes8.2NetworkLowNoneRequiredChangedHighLowNone12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2083Oracle iSupportUser ResponsibilitiesHTTPYes8.2NetworkLowNoneRequiredChangedHighLowNone12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2026Oracle MarketingMarketing AdministrationHTTPYes8.2NetworkLowNoneRequiredChangedHighLowNone12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2027Oracle MarketingMarketing AdministrationHTTPYes8.2NetworkLowNoneRequiredChangedHighLowNone12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2118Oracle MarketingMarketing AdministrationHTTPYes8.2NetworkLowNoneRequiredChangedHighLowNone12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2094Oracle One-to-One FulfillmentPrint ServerHTTPYes8.2NetworkLowNoneRequiredChangedHighLowNone12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2091Oracle ScriptingMiscellaneousHTTPYes8.2NetworkLowNoneRequiredChangedHighLowNone12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2015Oracle WorkflowWorklistHTTPYes8.2NetworkLowNoneRequiredChangedHighLowNone12.2.3-12.2.10
CVE-2021-2115Oracle Common Applications CalendarTasksHTTPNo7.6NetworkLowLowRequiredChangedHighLowNone12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2059Oracle iStoreWeb interfaceHTTPYes5.3NetworkLowNoneNoneUn-
changed
LowNoneNone12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2023Oracle Installed BaseAPIsHTTPYes4.7NetworkLowNoneRequiredChangedNoneLowNone12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2021-2017Oracle User ManagementProxy User DelegationHTTPNo4.3NetworkLowLowNoneUn-
changed
LowNoneNone12.1.3, 12.2.3-12.2.10

Oracle Enterprise Manager Risk Matrix

This Critical Patch Update contains 8 new security patches for Oracle Enterprise Manager. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these patches are applicable to client-only installations, i.e., installations that do not have Oracle Enterprise Manager installed. The English text form of this Risk Matrix can be found here.

Oracle Enterprise Manager products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections. The exposure of Oracle Enterprise Manager products is dependent on the Oracle Database and Oracle Fusion Middleware versions being used. Oracle Database and Oracle Fusion Middleware security updates are not listed in the Oracle Enterprise Manager risk matrix. However, since vulnerabilities affecting Oracle Database and Oracle Fusion Middleware versions may affect Oracle Enterprise Manager products, Oracle recommends that customers apply the January 2021 Critical Patch Update to the Oracle Database and Oracle Fusion Middleware components of Enterprise Manager. For information on what patches need to be applied to your environments, refer to Critical Patch Update January 2021 Patch Availability Document for Oracle Products, My Oracle Support Note 2725756.1.

CVE#ProductComponentProtocolRemote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)Supported Versions AffectedNotes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
ScopeConfid-
entiality
Inte-
grity
Avail-
ability
CVE-2019-13990Enterprise Manager Base PlatformConnector Framework (Quartz)HTTPYes9.8NetworkLowNoneNoneUn-
changed
HighHighHigh13.2.1.0
CVE-2020-11973Enterprise Manager Base PlatformReporting Framework (Apache Camel)HTTPYes9.8NetworkLowNoneNoneUn-
changed
HighHighHigh13.3.0.0, 13.4.0.0
CVE-2016-1000031Enterprise Manager Base PlatformReporting Framework (Apache Commons FileUpload)HTTPYes9.8NetworkLowNoneNoneUn-
changed
HighHighHigh13.3.0.0, 13.4.0.0
CVE-2020-11984Enterprise Manager Ops CenterControl Proxy (Apache HTTP Server)HTTPYes9.8NetworkLowNoneNoneUn-
changed
HighHighHigh12.4.0.0
CVE-2020-10683Oracle Application Testing SuiteLoad Testing for Web Apps (dom4j)HTTPYes9.8NetworkLowNoneNoneUn-
changed
HighHighHigh13.3.0.1
CVE-2018-15756Enterprise Manager for Fusion ApplicationsTopology Viewer (Spring Framework)HTTPYes7.5NetworkLowNoneNoneUn-
changed
NoneNoneHigh13.3.0.0
CVE-2020-11022Oracle Application Testing SuiteLoad Testing for Web Apps (jQuery)HTTPYes6.1NetworkLowNoneRequiredChangedLowLowNone13.3.0.1
CVE-2015-4000Enterprise Manager Ops CenterUser Interface (OpenSSL)HTTPSYes3.7NetworkHighNoneNoneUn-
changed
NoneLowNone12.4.0.0

Additional CVEs addressed are:

  • The patch for CVE-2016-1000031 also addresses CVE-2018-11775 and CVE-2019-0188.
  • The patch for CVE-2018-15756 also addresses CVE-2018-1258.
  • The patch for CVE-2019-13990 also addresses CVE-2019-5427.
  • The patch for CVE-2020-11022 also addresses CVE-2020-11023.
  • The patch for CVE-2020-11973 also addresses CVE-2019-0188, CVE-2020-11971 and CVE-2020-11972.
  • The patch for CVE-2020-11984 also addresses CVE-2020-11993 and CVE-2020-9490.
Download The Surveyor For Mac 8.0.7

Oracle Financial Services Applications Risk Matrix

This Critical Patch Update contains 50 new security patches for Oracle Financial Services Applications. 41 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#ProductComponentProtocolRemote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)Supported Versions AffectedNotes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
ScopeConfid-
entiality
Inte-
grity
Avail-
ability
CVE-2020-11612Oracle Banking Corporate Lending Process ManagementCore (Netty)HTTPYes9.8NetworkLowNoneNoneUn-
changed
HighHighHigh14.1.0, 14.3.0, 14.4.0
CVE-2020-11612Oracle Banking Credit Facilities Process ManagementCore (Netty)HTTPYes9.8NetworkLowNoneNoneUn-
changed
HighHighHigh14.1.0, 14.3.0, 14.4.0
CVE-2019-10744Oracle Banking Extensibility WorkbenchCore (Lodash)HTTPYes9.8NetworkLowNoneNoneUn-
changed
HighHighHigh14.3.0, 14.4.0
CVE-2020-8174Oracle Banking Extensibility WorkbenchCore (Node.js)HTTPYes9.8NetworkLowNoneNoneUn-
changed
HighHighHigh14.3.0, 14.4.0
CVE-2020-11612Oracle Banking Liquidity ManagementCommon (Netty)HTTPYes9.8NetworkLowNoneNoneUn-
changed
HighHighHigh14.0.0-14.4.0
CVE-2020-11612Oracle Banking PaymentsPayments Core (Netty)HTTPYes9.8NetworkLowNoneNoneUn-
changed
HighHighHigh14.4.0
CVE-2020-11612Oracle Banking Supply Chain FinanceCore (Netty)HTTPYes9.8NetworkLowNoneNoneUn-
changed
HighHighHigh14.2.0-14.4.0
CVE-2020-11612Oracle Banking Trade Finance Process ManagementDashboard (Netty)HTTPYes9.8NetworkLowNoneNoneUn-
changed
HighHighHigh14.1.0, 14.3.0, 14.4.0
CVE-2020-11612Oracle Banking Virtual Account ManagementCommon Core (Netty)HTTPYes9.8NetworkLowNoneNoneUn-
changed
HighHighHigh14.1.0, 14.3.0, 14.4.0
CVE-2019-3773Oracle Financial Services Analytical Applications InfrastructureInfrastructure (Spring Web Services)HTTPYes9.8NetworkLowNoneNoneUn-
changed
HighHighHigh8.0.6-8.1.0
CVE-2019-0230Oracle Financial Services Data Integration HubUser Interface (Apache Struts)HTTPYes9.8NetworkLowNoneNoneUn-
changed
HighHighHigh8.0.3, 8.0.6
CVE-2019-0230Oracle Financial Services Market Risk Measurement and ManagementUser Interface (Apache Struts)HTTPYes9.8NetworkLowNoneNoneUn-
changed
HighHighHigh8.0.6
CVE-2020-11612Oracle FLEXCUBE Universal BankingInfrastructure (Netty)HTTPYes9.8NetworkLowNoneNoneUn-
changed
HighHighHigh14.4.0
CVE-2020-1945Oracle Banking Liquidity ManagementCommon (Apache Ant)HTTPYes9.1NetworkLowNoneNoneUn-
changed
HighHighNone14.0.0-14.4.0
CVE-2020-27216Oracle FLEXCUBE Core BankingSecurities (Eclipse Jetty)NoneNo7.8LocalLowLowNoneUn-
changed
HighHighHigh11.5.0-11.9.0
CVE-2019-12399Oracle Banking Corporate Lending Process ManagementCore (Apache Kafka)HTTPYes7.5NetworkLowNoneNoneUn-
changed
HighNoneNone14.1.0, 14.3.0, 14.4.0
CVE-2019-12399Oracle Banking Credit Facilities Process ManagementCore (Apache Kafka)HTTPYes7.5NetworkLowNoneNoneUn-
changed
HighNoneNone14.1.0, 14.3.0, 14.4.0
CVE-2019-12399Oracle Banking Liquidity ManagementCommon (Apache Kafka)HTTPYes7.5NetworkLowNoneNoneUn-
changed
HighNoneNone14.0.0-14.4.0
CVE-2019-12399Oracle Banking PaymentsPayments Core (Apache Kafka)HTTPYes7.5NetworkLowNoneNoneUn-
changed
HighNoneNone14.4.0
CVE-2020-11979Oracle Banking PlatformInstaller (Apache Ant)HTTPYes7.5NetworkLowNoneNoneUn-
changed
NoneHighNone2.4.0, 2.4.1, 2.6.2, 2.7.0, 2.7.1, 2.8.0
CVE-2019-12402Oracle Banking PlatformParty, Financials (Apache Commons Compress)HTTPYes7.5NetworkLowNoneNoneUn-
changed
NoneNoneHigh2.6.2, 2.7.0, 2.8.0, 2.9.0
CVE-2019-12399Oracle Banking PlatformProduct Manufacturing (Apache Kafka)HTTPYes7.5NetworkLowNoneNoneUn-
changed
HighNoneNone2.7.0
CVE-2019-12399Oracle Banking Supply Chain FinanceCore (Apache Kafka)HTTPYes7.5NetworkLowNoneNoneUn-
changed
HighNoneNone14.2.0-14.4.0
CVE-2019-12399Oracle Banking Trade Finance Process ManagementDashboard (Apache Kafka)HTTPYes7.5NetworkLowNoneNoneUn-
changed
HighNoneNone14.1.0, 14.3.0, 14.4.0
CVE-2019-12399Oracle Banking Virtual Account ManagementCommon Core (Apache Kafka)HTTPYes7.5NetworkLowNoneNoneUn-
changed
HighNoneNone14.1.0, 14.3.0, 14.4.0
CVE-2020-11979Oracle Financial Services Analytical Applications InfrastructureInfrastructure (Apache Ant)HTTPYes7.5NetworkLowNoneNoneUn-
changed
NoneHighNone8.0.6-8.1.0
CVE-2019-12399Oracle Financial Services Analytical Applications InfrastructureInfrastructure (Apache Kafka)HTTPYes7.5NetworkLowNoneNoneUn-
changed
HighNoneNone8.0.6-8.1.0
CVE-2019-12399Oracle FLEXCUBE Universal BankingInfrastructure (Apache Kafka)HTTPYes7.5NetworkLowNoneNoneUn-
changed
HighNoneNone14.4.0
CVE-2019-10086Oracle Financial Services Analytical Applications InfrastructureInfrastructure (Apache Commons BeanUtils)HTTPYes7.3NetworkLowNoneNoneUn-
changed
LowLowLow8.0.6-8.1.0
CVE-2019-10086Oracle Financial Services Asset Liability ManagementCore (Apache Commons BeanUtils)HTTPYes7.3NetworkLowNoneNoneUn-
changed
LowLowLow8.0.7, 8.1.0
CVE-2019-10086Oracle Financial Services Funds Transfer PricingCore (Apache Commons BeanUtils)HTTPYes7.3NetworkLowNoneNoneUn-
changed
LowLowLow8.0.6, 8.0.7, 8.1.0
CVE-2019-10086Oracle Financial Services Market Risk Measurement and ManagementCore (Apache Commons BeanUtils)HTTPYes7.3NetworkLowNoneNoneUn-
changed
LowLowLow8.0.6
CVE-2019-10086Oracle Financial Services Profitability ManagementCore (Apache Commons BeanUtils)HTTPYes7.3NetworkLowNoneNoneUn-
changed
LowLowLow8.0.6, 8.0.7, 8.1.0
CVE-2019-10086Oracle Insurance Allocation Manager for Enterprise ProfitabilityCore (Apache Commons BeanUtils)HTTPYes7.3NetworkLowNoneNoneUn-
changed
LowLowLow8.1.0
CVE-2020-5408Oracle Banking Corporate Lending Process ManagementCore (Spring Security)HTTPNo6.5NetworkLowLowNoneUn-
changed
HighNoneNone14.1.0, 14.3.0, 14.4.0
CVE-2020-5408Oracle Banking Credit Facilities Process ManagementCore (Spring Security)HTTPNo6.5NetworkLowLowNoneUn-
changed
HighNoneNone14.1.0, 14.3.0, 14.4.0
CVE-2020-5408Oracle Banking Liquidity ManagementCommon (Spring Security)HTTPNo6.5NetworkLowLowNoneUn-
changed
HighNoneNone14.0.0-14.4.0
CVE-2020-5408Oracle Banking Supply Chain FinanceCore (Spring Security)HTTPNo6.5NetworkLowLowNoneUn-
changed
HighNoneNone14.2.0-14.4.0
CVE-2020-5408Oracle Banking Trade Finance Process ManagementDashboard (Spring Security)HTTPNo6.5NetworkLowLowNoneUn-
changed
HighNoneNone14.1.0, 14.3.0, 14.4.0
CVE-2020-5408Oracle Banking Virtual Account ManagementCommon Core (Spring Security)HTTPNo6.5NetworkLowLowNoneUn-
changed
HighNoneNone14.1.0, 14.3.0, 14.4.0
CVE-2020-5421Oracle Financial Services Analytical Applications InfrastructureInfrastructure (Spring Framework)HTTPNo6.5NetworkHighLowRequiredChangedLowHighNone8.0.6-8.1.0
CVE-2019-11269Oracle Banking Corporate Lending Process ManagementCore (Spring Security Oauth)HTTPYes5.4NetworkLowNoneRequiredUn-
changed
LowLowNone14.1.0, 14.3.0, 14.4.0
CVE-2019-11269Oracle Banking Credit Facilities Process ManagementCore (Spring Security Oauth)HTTPYes5.4NetworkLowNoneRequiredUn-
changed
LowLowNone14.1.0, 14.3.0, 14.4.0
CVE-2019-11269Oracle Banking Liquidity ManagementCommon (Spring Security Oauth)HTTPYes5.4NetworkLowNoneRequiredUn-
changed
LowLowNone14.0.0-14.4.0
CVE-2019-11269Oracle Banking PaymentsPayments Core (Spring Security Oauth)HTTPYes5.4NetworkLowNoneRequiredUn-
changed
LowLowNone14.4.0
CVE-2019-11269Oracle Banking Supply Chain FinanceCore (Spring Security Oauth)HTTPYes5.4NetworkLowNoneRequiredUn-
changed
LowLowNone14.2.0-14.4.0
CVE-2019-11269Oracle Banking Trade Finance Process ManagementDashboard (Spring Security Oauth)HTTPYes5.4NetworkLowNoneRequiredUn-
changed
LowLowNone14.1.0, 14.3.0, 14.4.0
CVE-2019-11269Oracle Banking Virtual Account ManagementCommon Core (Spring Security Oauth)HTTPYes5.4NetworkLowNoneRequiredUn-
changed
LowLowNone14.1.0, 14.3.0, 14.4.0
CVE-2019-11269Oracle FLEXCUBE Universal BankingInfrastructure (Spring Security Oauth)HTTPYes5.4NetworkLowNoneRequiredUn-
changed
LowLowNone14.4.0
CVE-2021-2113Oracle Financial Services Revenue Management and BillingOn Demand BillingHTTPNo4.3NetworkLowLowNoneUn-
changed
NoneLowNone2.9.0.0, 2.9.0.1

Additional CVEs addressed are:

  • The patch for CVE-2019-0230 also addresses CVE-2019-0233 and CVE-2020-17530.
  • The patch for CVE-2019-11269 also addresses CVE-2019-3778.
  • The patch for CVE-2020-1945 also addresses CVE-2020-11979.
  • The patch for CVE-2020-5408 also addresses CVE-2020-5407.
  • The patch for CVE-2020-8174 also addresses CVE-2020-10531, CVE-2020-11080 and CVE-2020-8172.

Oracle Food and Beverage Applications Risk Matrix

This Critical Patch Update contains 2 new security patches for Oracle Food and Beverage Applications. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#ProductComponentProtocolRemote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)Supported Versions AffectedNotes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
ScopeConfid-
entiality
Inte-
grity
Avail-
ability
CVE-2018-1285Oracle Hospitality SimphonySimphony Server (Apache log4net)HTTPYes9.8NetworkLowNoneNoneUn-
changed
HighHighHigh18.2.7.2, 19.1.3
CVE-2021-1997Oracle Hospitality Reporting and AnalyticsReportHTTPNo8.1NetworkLowLowNoneUn-
changed
HighHighNone9.1.0

Oracle Fusion Middleware Risk Matrix

This Critical Patch Update contains 60 new security patches plus additional third party patches noted below for Oracle Fusion Middleware. 47 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Please note that the Security Alert patches for Oracle WebLogic Server: CVE-2020-14750 are included in this Critical Patch Update. Customers are strongly advised to apply this Critical Patch Update.

CVE#ProductComponentProtocolRemote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)Supported Versions AffectedNotes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
ScopeConfid-
entiality
Inte-
grity
Avail-
ability
CVE-2019-10173Oracle BAM (Business Activity Monitoring)General (Xstream)HTTPYes9.8NetworkLowNoneNoneUn-
changed
HighHighHigh11.1.1.9.0, 12.2.1.3.0
CVE-2020-10683Oracle Business Process Management SuiteInstaller (dom4j)HTTPYes9.8NetworkLowNoneNoneUn-
changed
HighHighHigh12.2.1.3.0, 12.2.1.4.0
CVE-2020-14756Oracle CoherenceCore ComponentsIIOP, T3Yes9.8NetworkLowNoneNoneUn-
changed
HighHighHigh3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2015-8965Oracle Data IntegratorInstall, config, upgrade (Rogue Wave JViews)HTTPYes9.8NetworkLowNoneNoneUn-
changed
HighHighHigh12.2.1.3.0, 12.2.1.4.0
CVE-2020-10683Oracle Data IntegratorRuntime Java agent for ODI (dom4j)HTTPYes9.8NetworkLowNoneNoneUn-
changed
HighHighHigh12.2.1.3.0, 12.2.1.4.0
CVE-2016-1000031Oracle Enterprise Data QualityGeneral (Apache Commons FileUpload)HTTPYes9.8NetworkLowNoneNoneUn-
changed
HighHighHigh11.1.1.9.0
CVE-2020-10683Oracle Enterprise Data QualityGeneral (dom4j)HTTPYes9.8NetworkLowNoneNoneUn-
changed
HighHighHigh11.1.1.9.0, 12.2.1.3.0
CVE-2020-11998Oracle Enterprise RepositorySecurity Subsystem (Apache ActiveMQ)HTTPYes9.8NetworkLowNoneNoneUn-
changed
HighHighHigh11.1.1.7.0
CVE-2020-10683Oracle WebCenter PortalPortlet Services (dom4j)HTTPYes9.8NetworkLowNoneNoneUn-
changed
HighHighHigh11.1.1.9.0
CVE-2019-17195Oracle WebLogic ServerCore Components (Connect2id Nimbus JOSE+JWT)HTTPYes9.8NetworkLowNoneNoneUn-
changed
HighHighHigh12.2.1.3.0, 12.2.1.4.0
CVE-2021-1994Oracle WebLogic ServerWeb ServicesHTTPYes9.8NetworkLowNoneNoneUn-
changed
HighHighHigh10.3.6.0.0, 12.1.3.0.0
CVE-2021-2047Oracle WebLogic ServerCore ComponentsIIOP, T3Yes9.8NetworkLowNoneNoneUn-
changed
HighHighHigh10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0
CVE-2021-2064Oracle WebLogic ServerCore ComponentsIIOP, T3Yes9.8NetworkLowNoneNoneUn-
changed
HighHighHigh12.1.3.0.0
CVE-2021-2108Oracle WebLogic ServerCore ComponentsIIOP, T3Yes9.8NetworkLowNoneNoneUn-
changed
HighHighHigh12.1.3.0.0
CVE-2021-2075Oracle WebLogic ServerSamplesIIOP, T3Yes9.8NetworkLowNoneNoneUn-
changed
HighHighHigh10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2020-1945Oracle Real-Time Decision ServerDecision Studio (Apache Ant)HTTPYes9.1NetworkLowNoneNoneUn-
changed
HighHighNone3.2.1.0
CVE-2020-5421Oracle Endeca Information Discovery IntegratorIntegrator ETL (Spring Framework)HTTPNo8.8NetworkLowLowNoneUn-
changed
HighHighHigh3.2.0.0
CVE-2021-2066Oracle Outside In TechnologyOutside In FiltersHTTPYes8.6NetworkLowNoneNoneUn-
changed
LowHighLow8.5.4, 8.5.5See Note 1
CVE-2021-2067Oracle Outside In TechnologyOutside In FiltersHTTPYes8.6NetworkLowNoneNoneUn-
changed
LowHighLow8.5.4, 8.5.5See Note 1
CVE-2021-2068Oracle Outside In TechnologyOutside In FiltersHTTPYes8.6NetworkLowNoneNoneUn-
changed
LowHighLow8.5.4, 8.5.5See Note 1
CVE-2021-2069Oracle Outside In TechnologyOutside In FiltersHTTPYes8.6NetworkLowNoneNoneUn-
changed
LowHighLow8.5.4, 8.5.5See Note 1
CVE-2021-2025Oracle Business Intelligence Enterprise EditionAnalytics Web GeneralHTTPYes8.2NetworkLowNoneRequiredChangedHighLowNone5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2021-2041Oracle Business Intelligence Enterprise EditionInstallationHTTPYes8.1NetworkHighNoneNoneUn-
changed
HighHighHigh12.2.1.3.0, 12.2.1.4.0
CVE-2021-2049Oracle BI PublisherAdministrationHTTPNo7.6NetworkLowLowNoneUn-
changed
HighLowLow5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2021-2013Oracle BI PublisherBI Publisher SecurityHTTPNo7.6NetworkLowLowNoneUn-
changed
HighLowLow5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2021-2050Oracle BI PublisherE-Business Suite - XDOHTTPNo7.6NetworkLowLowNoneUn-
changed
HighLowLow5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2021-2051Oracle BI PublisherE-Business Suite - XDOHTTPNo7.6NetworkLowLowNoneUn-
changed
HighLowLow5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2021-2062Oracle BI PublisherWeb ServerHTTPNo7.6NetworkLowLowRequiredChangedHighLowNone5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2019-17359Oracle Data IntegratorRuntime Java agent for ODI (Bouncy Castle Java Library)HTTPSYes7.5NetworkLowNoneNoneUn-
changed
NoneNoneHigh12.2.1.4.0
CVE-2017-12626Oracle Enterprise Data QualityGeneral (Apache POI)HTTPYes7.5NetworkLowNoneNoneUn-
changed
NoneNoneHigh11.1.1.9.0, 12.2.1.3.0
CVE-2020-11979Oracle Enterprise RepositorySecurity Subsystem (Apache Ant)HTTPYes7.5NetworkLowNoneNoneUn-
changed
NoneHighNone11.1.1.7.0
CVE-2019-17566Oracle Enterprise RepositorySecurity Subsystem (Apache Batik)HTTPYes7.5NetworkLowNoneNoneUn-
changed
NoneHighNone11.1.1.7.0
CVE-2020-11994Oracle Enterprise RepositorySecurity Subsystem (Apache Camel)HTTPYes7.5NetworkLowNoneNoneUn-
changed
HighNoneNone11.1.1.7.0
CVE-2020-13935Oracle Managed File TransferMFT Runtime Server (Apache Tomcat)HTTPYes7.5NetworkLowNoneNoneUn-
changed
NoneNoneHigh12.2.1.3.0, 12.2.1.4.0
CVE-2019-0227Oracle Real-Time Decision ServerPlatform Installation (Apache Axis)HTTPYes7.5Adjacent
Network
HighNoneNoneUn-
changed
HighHighHigh3.2.1.0
CVE-2019-10086Oracle Data IntegratorInstall, config, upgrade (Apache Commons BeanUtils)HTTPYes7.3NetworkLowNoneNoneUn-
changed
LowLowLow11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2019-10086Oracle Endeca Information Discovery IntegratorIntegrator ETL (Apache Commons BeanUtils)HTTPYes7.3NetworkLowNoneNoneUn-
changed
LowLowLow3.2.0.0
CVE-2019-10086Oracle Fusion Middleware MapViewerInstall (Apache Commons BeanUtils)HTTPYes7.3NetworkLowNoneNoneUn-
changed
LowLowLow12.2.1.3.0
CVE-2019-10086Oracle Real-Time Decision ServerPlatform Installation (Apache Commons BeanUtils)HTTPYes7.3NetworkLowNoneNoneUn-
changed
LowLowLow3.2.1.0
CVE-2019-10086Oracle WebCenter PortalSecurity Framework (Apache Commons BeanUtils)HTTPYes7.3NetworkLowNoneNoneUn-
changed
LowLowLow11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2019-10086Oracle WebLogic ServerConsole (Apache Commons Beanutils)HTTPYes7.3NetworkLowNoneNoneUn-
changed
LowLowLow10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2021-2109Oracle WebLogic ServerConsoleHTTPNo7.2NetworkLowHighNoneUn-
changed
HighHighHigh10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2018-2587Oracle Adaptive Access ManagerInstall and ConfigHTTPYes6.5NetworkHighNoneNoneUn-
changed
LowHighNone11.1.2.3.0
CVE-2018-9019Oracle Data IntegratorRest Service (Dolibarr)HTTPYes6.5NetworkLowNoneNoneUn-
changed
LowLowNone11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2020-5421Oracle GoldenGate Application AdaptersApplication Adapters (Spring Framework)HTTPNo6.5NetworkHighLowRequiredChangedLowHighNone19.1.0.0.0
CVE-2020-5421Oracle WebLogic ServerSample apps (Spring Framework)HTTPNo6.5NetworkHighLowRequiredChangedLowHighNone10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2021-1995Oracle WebLogic ServerWeb ServicesHTTPNo6.5NetworkLowLowNoneUn-
changed
NoneHighNone10.3.6.0.0, 12.1.3.0.0
CVE-2019-14862Oracle Business Intelligence Enterprise EditionAnalytics Server (Knockout)HTTPYes6.1NetworkLowNoneRequiredChangedLowLowNone5.5.0.0.0
CVE-2019-17091Oracle Enterprise Data QualityGeneral (Eclipse Mojarra)HTTPYes6.1NetworkLowNoneRequiredChangedLowLowNone12.2.1.3.0
CVE-2020-11022Oracle WebCenter SitesWebCenter Sites (jQuery)HTTPYes6.1NetworkLowNoneRequiredChangedLowLowNone12.2.1.3.0, 12.2.1.4.0
CVE-2020-11022Oracle WebLogic ServerSample apps (jQuery)HTTPYes6.1NetworkLowNoneRequiredChangedLowLowNone12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2016-5725Oracle Data IntegratorInstall, config, upgrade (JCraft JSch)SFTPYes5.9NetworkHighNoneNoneUn-
changed
NoneHighNone11.1.1.9.0, 12.2.1.3.0
CVE-2018-10237Oracle WebLogic ServerCentralized Thirdparty Jars (Google Guava)HTTPYes5.9NetworkHighNoneNoneUn-
changed
NoneNoneHigh12.2.1.3.0
CVE-2021-2003Business Intelligence Enterprise EditionAnalytics Web DashboardsHTTPNo5.4NetworkLowLowRequiredChangedLowLowNone5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
CVE-2019-10247Oracle Data IntegratorCentralized Thirdparty Jars (Eclipse Jetty)HTTPYes5.3NetworkLowNoneNoneUn-
changed
LowNoneNone12.2.1.3.0, 12.2.1.4.0
CVE-2021-2005Oracle Business Intelligence Enterprise EditionBI Platform SecurityHTTPYes4.7NetworkLowNoneRequiredChangedLowNoneNone12.2.1.3.0, 12.2.1.4.0
CVE-2021-2033Oracle WebLogic ServerCore ComponentsHTTPNo4.3NetworkLowLowNoneUn-
changed
NoneNoneLow12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CVE-2020-9488Oracle Data IntegratorInstall, config, upgrade (Apache Log4j)HTTPYes3.7NetworkHighNoneNoneUn-
changed
LowNoneNone12.2.1.3.0, 12.2.1.4.0
CVE-2020-9488Oracle GoldenGate Application AdaptersApplication Adapters (Apache Log4j)HTTPYes3.7NetworkHighNoneNoneUn-
changed
LowNoneNone19.1.0.0.0
CVE-2021-1996Oracle WebLogic ServerWeb ServicesHTTPNo2.4NetworkLowHighRequiredUn-
changed
LowNoneNone10.3.6.0.0, 12.1.3.0.0

Notes:

  1. Outside In Technology is a suite of software development kits (SDKs). The protocol and CVSS score depend on the software that uses the Outside In Technology code. The CVSS score assumes that the software passes data received over a network directly to Outside In Technology code, but if data is not received over a network the CVSS score may be lower.

Additional CVEs addressed are:

  • The patch for CVE-2018-9019 also addresses CVE-2017-5611 and CVE-2018-7318.
  • The patch for CVE-2019-0227 also addresses CVE-2018-8032.
  • The patch for CVE-2019-10247 also addresses CVE-2019-10246.
  • The patch for CVE-2020-11022 also addresses CVE-2020-11023.
  • The patch for CVE-2020-13935 also addresses CVE-2020-13934.
  • The patch for CVE-2021-2041 also addresses CVE-2019-2697.

Additional patches are included in this Critical Patch Update for the following non-exploitable CVEs in this Oracle product family:

  • Oracle Global Lifecycle Management OPatch
    • Patch Installer (Apache Commons Compress): CVE-2019-12402 and CVE-2012-2098.

Oracle GraalVM Risk Matrix

This Critical Patch Update contains 2 new security patches for Oracle GraalVM. Both of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#ProductComponentProtocolRemote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)Supported Versions AffectedNotes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
ScopeConfid-
entiality
Inte-
grity
Avail-
ability
CVE-2020-8277Oracle GraalVM Enterprise EditionNode (Node.js)HTTPYes7.5NetworkLowNoneNoneUn-
changed
NoneNoneHigh19.3.4, 20.3.0
CVE-2020-14803Oracle GraalVM Enterprise EditionJavaMultipleYes5.3NetworkHighNoneRequiredUn-
changed
NoneHighNone19.3.4, 20.3.0

Additional CVEs addressed are:

  • The patch for CVE-2020-8277 also addresses CVE-2020-1971, CVE-2020-8265 and CVE-2020-8287.

Oracle Health Sciences Applications Risk Matrix

This Critical Patch Update contains 5 new security patches for Oracle Health Sciences Applications. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#ProductComponentProtocolRemote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)Supported Versions AffectedNotes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
ScopeConfid-
entiality
Inte-
grity
Avail-
ability
CVE-2020-10683Oracle Health Sciences Information ManagerRecordlocator, DSUB (dom4j)HTTPYes9.8NetworkLowNoneNoneUn-
changed
HighHighHigh3.0.1
CVE-2020-5421Oracle Healthcare Master Person IndexMDM Module (Spring Framework)HTTPNo6.5NetworkHighLowRequiredChangedLowHighNone4.0.2.5
CVE-2021-2040Oracle Argus SafetyCase Form, Local Affiliate FormHTTPYes6.1NetworkLowNoneRequiredChangedLowLowNone8.2.2
CVE-2021-2110Oracle Argus SafetyLettersHTTPNo5.0NetworkLowLowNoneChangedLowNoneNone8.2.2
CVE-2020-9488Oracle Health Sciences Information ManagerRecordlocator, DSUB (Apache Log4j)HTTPYes3.7NetworkHighNoneNoneUn-
changed
LowNoneNone3.0.1

Oracle Hyperion Risk Matrix

This Critical Patch Update contains 7 new security patches for Oracle Hyperion. 5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#ProductComponentProtocolRemote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)Supported Versions AffectedNotes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
ScopeConfid-
entiality
Inte-
grity
Avail-
ability
CVE-2019-13990Hyperion Infrastructure TechnologyCommon Security (Quartz)HTTPYes9.8NetworkLowNoneNoneUn-
changed
HighHighHigh11.1.2.4
CVE-2020-11984Hyperion Infrastructure TechnologyInstallation and Configuration (Apache HTTP Server)HTTPYes9.8NetworkLowNoneNoneUn-
changed
HighHighHigh11.1.2.4
CVE-2019-17563Hyperion Infrastructure TechnologyCommon Security (Apache Tomcat)HTTPYes7.5NetworkHighNoneRequiredUn-
changed
HighHighHigh11.1.2.4See Note 1
CVE-2019-12402Hyperion Infrastructure TechnologyInstallation and Configuration (Apache Commons Compress)HTTPYes7.5NetworkLowNoneNoneUn-
changed
NoneNoneHigh11.1.2.4
CVE-2020-5421Hyperion Infrastructure TechnologyInstallation and Configuration (Spring Framework)HTTPNo6.5NetworkHighLowRequiredChangedLowHighNone11.1.2.4
CVE-2020-11022Hyperion Financial ReportingInstallation (jQuery)HTTPYes6.1NetworkLowNoneRequiredChangedLowLowNone11.1.2.4See Note 2
CVE-2019-12415Hyperion Infrastructure TechnologyCommon Security (Apache POI)NoneNo5.5LocalLowLowNoneUn-
changed
HighNoneNone11.1.2.4

Notes:

  1. This CVE is not exploitable in Hyperion Infrastructure Technology. The CVSS v3.1 Base Score for this CVE in the National Vulnerability Database (NVD) is 9.5. Tomcat is removed in Hyperion Infrastructure Technology with the January 2021 Critical Patch Update.
  2. This CVE is not exploitable in Hyperion Financial Reporting. The CVSS v3.1 Base Score for this CVE in the National Vulnerability Database (NVD) is 6.1. jQuery is removed from Hyperion Financial Reporting with the January 2021 Critical Patch Update.

Additional CVEs addressed are:

  • The patch for CVE-2019-13990 also addresses CVE-2019-5427.
  • The patch for CVE-2020-11022 also addresses CVE-2020-11023.
  • The patch for CVE-2020-11984 also addresses CVE-2020-11993 and CVE-2020-9490.

Oracle Insurance Applications Risk Matrix

This Critical Patch Update contains 3 new security patches for Oracle Insurance Applications. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#ProductComponentProtocolRemote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)Supported Versions AffectedNotes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
ScopeConfid-
entiality
Inte-
grity
Avail-
ability
CVE-2020-5421Oracle Insurance Policy AdministrationArchitecture (Spring Framework)HTTPNo6.5NetworkHighLowRequiredChangedLowHighNone10.2.0, 10.2.4, 11.0.2, 11.1.0-11.3.0
CVE-2020-5421Oracle Insurance Rules PaletteArchitecture (Spring Framework)HTTPNo6.5NetworkHighLowRequiredChangedLowHighNone10.2.0, 10.2.4, 11.0.2, 11.1.0-11.3.0
CVE-2019-11358Oracle Insurance Insbridge Rating and UnderwritingFramework Administrator IBFA (jQuery)HTTPYes6.1NetworkLowNoneRequiredChangedLowLowNone5.0.0.20, 5.1.1.03

Oracle Java SE Risk Matrix

This Critical Patch Update contains 1 new security patch for Oracle Java SE. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#ProductComponentProtocolRemote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)Supported Versions AffectedNotes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
ScopeConfid-
entiality
Inte-
grity
Avail-
ability
CVE-2020-14803Java SE, Java SE EmbeddedLibrariesMultipleYes5.3NetworkLowNoneNoneUn-
changed
LowNoneNoneJava SE: 7u281, 8u271; Java SE Embedded: 8u271See Note 1

Notes:

  1. This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.

Oracle JD Edwards Risk Matrix

This Critical Patch Update contains 5 new security patches for Oracle JD Edwards. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#ProductComponentProtocolRemote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)Supported Versions AffectedNotes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
ScopeConfid-
entiality
Inte-
grity
Avail-
ability
CVE-2020-1967JD Edwards EnterpriseOne ToolsEnterprise Infrastructure SEC (OpenSSL)JDENETYes7.5NetworkLowNoneNoneUn-
changed
NoneNoneHighPrior to 9.2.5.0
CVE-2020-11022JD Edwards EnterpriseOne OrchestratorE1 IOT Orchestrator Security (jQuery)HTTPYes6.1NetworkLowNoneRequiredChangedLowLowNonePrior to 9.2.5.0
CVE-2020-11022JD Edwards EnterpriseOne ToolsE1 Dev Platform Tech - Cloud (jQuery)HTTPYes6.1NetworkLowNoneRequiredChangedLowLowNonePrior to 9.2.5.0
CVE-2020-11022JD Edwards EnterpriseOne ToolsWeb Runtime (jQuery)HTTPYes6.1NetworkLowNoneRequiredChangedLowLowNonePrior to 9.2.5.0
CVE-2021-2052JD Edwards EnterpriseOne OrchestratorE1 IOT Orchestrator SecurityHTTPYes5.8NetworkLowNoneNoneChangedLowNoneNonePrior to 9.2.5.1

Additional CVEs addressed are:

Download The Surveyor for Mac 8.0.7 professional
  • The patch for CVE-2020-11022 also addresses CVE-2020-11023.
  • The patch for CVE-2020-1967 also addresses CVE-2019-1551.

Oracle MySQL Risk Matrix

This Critical Patch Update contains 43 new security patches for Oracle MySQL. 5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#ProductComponentProtocolRemote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)Supported Versions AffectedNotes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
ScopeConfid-
entiality
Inte-
grity
Avail-
ability
CVE-2020-13871MySQL WorkbenchWorkbench (SQLite)MySQL WorkbenchYes7.5NetworkLowNoneNoneUn-
changed
NoneNoneHigh8.0.22 and prior
CVE-2019-10086MySQL Enterprise MonitorService Manager (Apache Commons BeanUtils)HTTPSYes7.3NetworkLowNoneNoneUn-
changed
LowLowLow8.0.22 and prior
CVE-2021-2046MySQL ServerServer: Stored ProcedureMySQL ProtocolNo6.8NetworkLowHighNoneChangedNoneNoneHigh8.0.22 and prior
CVE-2020-5421MySQL Enterprise MonitorService Manager (Spring Framework)HTTPSNo6.5NetworkHighLowRequiredChangedLowHighNone8.0.22 and prior
CVE-2020-5408MySQL Enterprise MonitorService Manager (Spring Security)HTTPSNo6.5NetworkLowLowNoneUn-
changed
HighNoneNone8.0.22 and prior
CVE-2021-2020MySQL ServerServer: OptimizerMySQL ProtocolNo6.5NetworkLowLowNoneUn-
changed
NoneNoneHigh8.0.20 and prior
CVE-2021-2024MySQL ServerServer: OptimizerMySQL ProtocolNo6.5NetworkLowLowNoneUn-
changed
NoneNoneHigh8.0.22 and prior
CVE-2021-2011MySQL ClientC APIMySQL ProtocolYes5.9NetworkHighNoneNoneUn-
changed
NoneNoneHigh5.7.32 and prior, 8.0.22 and prior
CVE-2020-1971MySQL WorkbenchMySQL Workbench (OpenSSL)MySQL WorkbenchYes5.9NetworkHighNoneNoneUn-
changed
NoneNoneHigh8.0.22 and prior
CVE-2021-2006MySQL ClientC APIMySQL ProtocolNo5.3NetworkHighLowNoneUn-
changed
NoneNoneHigh8.0.19 and prior
CVE-2021-2048MySQL ServerInnoDBMySQL ProtocolNo5.0NetworkHighHighNoneUn-
changed
NoneLowHigh8.0.22 and prior
CVE-2021-2028MySQL ServerInnoDBMySQL ProtocolNo4.9NetworkLowHighNoneUn-
changed
NoneNoneHigh8.0.21 and prior
CVE-2021-2122MySQL ServerServer: DDLMySQL ProtocolNo4.9NetworkLowHighNoneUn-
changed
NoneNoneHigh8.0.22 and prior
CVE-2021-2058MySQL ServerServer: LockingMySQL ProtocolNo4.9NetworkLowHighNoneUn-
changed
NoneNoneHigh8.0.22 and prior
CVE-2021-2001MySQL ServerServer: OptimizerMySQL ProtocolNo4.9NetworkLowHighNoneUn-
changed
NoneNoneHigh5.6.50 and prior, 5.7.30 and prior, 8.0.17 and prior
CVE-2021-2016MySQL ServerServer: OptimizerMySQL ProtocolNo4.9NetworkLowHighNoneUn-
changed
NoneNoneHigh8.0.19 and prior
CVE-2021-2021MySQL ServerServer: OptimizerMySQL ProtocolNo4.9NetworkLowHighNoneUn-
changed
NoneNoneHigh8.0.22 and prior
CVE-2021-2030MySQL ServerServer: OptimizerMySQL ProtocolNo4.9NetworkLowHighNoneUn-
changed
NoneNoneHigh8.0.21 and prior
CVE-2021-2031MySQL ServerServer: OptimizerMySQL ProtocolNo4.9NetworkLowHighNoneUn-
changed
NoneNoneHigh8.0.22 and prior
CVE-2021-2036MySQL ServerServer: OptimizerMySQL ProtocolNo4.9NetworkLowHighNoneUn-
changed
NoneNoneHigh8.0.22 and prior
CVE-2021-2055MySQL ServerServer: OptimizerMySQL ProtocolNo4.9NetworkLowHighNoneUn-
changed
NoneNoneHigh8.0.21 and prior
CVE-2021-2060MySQL ServerServer: OptimizerMySQL ProtocolNo4.9NetworkLowHighNoneUn-
changed
NoneNoneHigh5.6.50 and prior, 5.7.32 and prior, 8.0.22 and prior
CVE-2021-2070MySQL ServerServer: OptimizerMySQL ProtocolNo4.9NetworkLowHighNoneUn-
changed
NoneNoneHigh8.0.22 and prior
CVE-2021-2076MySQL ServerServer: OptimizerMySQL ProtocolNo4.9NetworkLowHighNoneUn-
changed
NoneNoneHigh8.0.22 and prior
CVE-2021-2065MySQL ServerServer: OptimizerMySQL ProtocolNo4.9NetworkLowHighNoneUn-
changed
NoneNoneHigh8.0.22 and prior
CVE-2021-2014MySQL ServerServer: PAM Auth PluginMySQL ProtocolNo4.9NetworkLowHighNoneUn-
changed
NoneNoneHigh5.7.32 and prior
CVE-2021-2002MySQL ServerServer: ReplicationMySQL ProtocolNo4.9NetworkLowHighNoneUn-
changed
NoneNoneHigh8.0.22 and prior
CVE-2021-2012MySQL ServerServer: Security: PrivilegesMySQL ProtocolNo4.9NetworkLowHighNoneUn-
changed
NoneNoneHigh8.0.20 and prior
CVE-2021-2009MySQL ServerServer: Security: RolesMySQL ProtocolNo4.9NetworkLowHighNoneUn-
changed
NoneNoneHigh8.0.19 and prior
CVE-2021-2072MySQL ServerServer: Stored ProcedureMySQL ProtocolNo4.9NetworkLowHighNoneUn-
changed
NoneNoneHigh8.0.22 and prior
CVE-2021-2081MySQL ServerServer: Stored ProcedureMySQL ProtocolNo4.9NetworkLowHighNoneUn-
changed
NoneNoneHigh8.0.22 and prior
CVE-2021-2022MySQL ServerInnoDBMySQL ProtocolNo4.4NetworkHighHighNoneUn-
changed
NoneNoneHigh5.6.50 and prior, 5.7.32 and prior, 8.0.22 and prior
CVE-2021-2038MySQL ServerServer: Components ServicesMySQL ProtocolNo4.4NetworkHighHighNoneUn-
changed
NoneNoneHigh8.0.22 and prior
CVE-2021-2061MySQL ServerServer: DDLMySQL ProtocolNo4.4NetworkHighHighNoneUn-
changed
NoneNoneHigh8.0.22 and prior
CVE-2021-2056MySQL ServerServer: DMLMySQL ProtocolNo4.4NetworkHighHighNoneUn-
changed
NoneNoneHigh8.0.22 and prior
CVE-2021-2087MySQL ServerServer: DMLMySQL ProtocolNo4.4LocalLowHighNoneUn-
changed
NoneNoneHigh8.0.22 and prior
CVE-2021-2088MySQL ServerServer: DMLMySQL ProtocolNo4.4LocalLowHighNoneUn-
changed
NoneNoneHigh8.0.22 and prior
CVE-2021-2032MySQL ServerInformation SchemaMySQL ProtocolNo4.3NetworkLowLowNoneUn-
changed
LowNoneNone5.7.32 and prior, 8.0.22 and prior
CVE-2021-2010MySQL ClientC APIMySQL ProtocolNo4.2NetworkHighLowNoneUn-
changed
NoneLowLow5.6.50 and prior, 5.7.32 and prior, 8.0.22 and prior
CVE-2021-1998MySQL ServerServer: OptimizerMySQL ProtocolNo3.8NetworkLowHighNoneUn-
changed
NoneLowLow8.0.20 and prior
CVE-2021-2007MySQL ClientC APIMySQL ProtocolYes3.7NetworkHighNoneNoneUn-
changed
LowNoneNone5.6.47 and prior, 5.7.29 and prior, 8.0.19 and prior
CVE-2021-2019MySQL ServerServer: Security: PrivilegesMySQL ProtocolNo2.7NetworkLowHighNoneUn-
changed
LowNoneNone8.0.19 and prior
CVE-2021-2042MySQL ServerInnoDBMySQL ProtocolNo2.3LocalLowHighNoneUn-
changed
LowNoneNone8.0.21 and prior

Additional CVEs addressed are:

  • The patch for CVE-2020-13871 also addresses CVE-2020-11655, CVE-2020-11656, CVE-2020-15358 and CVE-2020-9327.
  • The patch for CVE-2020-5408 also addresses CVE-2020-5407.

Oracle PeopleSoft Risk Matrix

This Critical Patch Update contains 8 new security patches for Oracle PeopleSoft. 6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#ProductComponentProtocolRemote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)Supported Versions AffectedNotes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
ScopeConfid-
entiality
Inte-
grity
Avail-
ability
CVE-2021-2063PeopleSoft Enterprise PeopleToolsPortalNoneNo8.4LocalLowNoneNoneUn-
changed
HighHighHigh8.56, 8.57, 8.58
CVE-2021-2071PeopleSoft Enterprise PeopleToolsElastic SearchHTTPYes8.1NetworkHighNoneNoneUn-
changed
HighHighHigh8.56, 8.57, 8.58
CVE-2019-0227PeopleSoft Enterprise HCM Human ResourcesGlobal Payroll for Switzerland (Apache Axis)HTTPYes7.5Adjacent
Network
HighNoneNoneUn-
changed
HighHighHigh9.2
CVE-2021-2044PeopleSoft Enterprise FIN PayablesFinancial SanctionsHTTPNo6.5NetworkLowLowNoneUn-
changed
HighNoneNone9.2
CVE-2020-11022PeopleSoft Enterprise HCM Human ResourcesCompany Dir / Org Chart Viewer, Employee Snapshot (jQuery)HTTPYes6.1NetworkLowNoneRequiredChangedLowLowNone9.2
CVE-2021-2043PeopleSoft Enterprise PeopleToolsPortalHTTPYes6.1NetworkLowNoneRequiredChangedLowLowNone8.56, 8.57, 8.58
CVE-2020-9281PeopleSoft Enterprise PeopleToolsRich Text Editor (CKEditor)HTTPYes6.1NetworkLowNoneRequiredChangedLowLowNone8.56, 8.57, 8.58
CVE-2020-1968PeopleSoft Enterprise PeopleToolsSecurity (OpenSSL)HTTPSYes3.7NetworkHighNoneNoneUn-
changed
LowNoneNone8.56, 8.57, 8.58

Additional CVEs addressed are:

  • The patch for CVE-2019-0227 also addresses CVE-2018-8032.
  • The patch for CVE-2020-11022 also addresses CVE-2020-11023.

Oracle Retail Applications Risk Matrix

This Critical Patch Update contains 32 new security patches for Oracle Retail Applications. 20 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#ProductComponentProtocolRemote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)Supported Versions AffectedNotes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
ScopeConfid-
entiality
Inte-
grity
Avail-
ability
CVE-2020-10683Oracle Retail Customer Management and Segmentation FoundationSegment (dom4j)HTTPYes9.8NetworkLowNoneNoneUn-
changed
HighHighHigh16.0, 17.0, 18.0, 19.0
CVE-2020-9546Oracle Retail Merchandising SystemFoundation (jackson-databind)HTTPYes9.8NetworkLowNoneNoneUn-
changed
HighHighHigh15.0
CVE-2020-9546Oracle Retail Sales AuditRule Wizards (jackson-databind)HTTPYes9.8NetworkLowNoneNoneUn-
changed
HighHighHigh14.1
CVE-2020-1945Oracle Retail Extract Transform and LoadMathematical Operators (Apache Ant)HTTPYes9.1NetworkLowNoneNoneUn-
changed
HighHighNone13.2.5, 13.2.8
CVE-2020-5421Oracle Retail Order BrokerSystem Administration (Spring Framework)HTTPNo8.8NetworkLowLowNoneUn-
changed
HighHighHigh15.0, 16.0
CVE-2017-8028Oracle Retail Invoice MatchingPosting (Spring-LDAP)HTTPYes8.1NetworkHighNoneNoneUn-
changed
HighHighHigh13.2, 14.0, 14.1
CVE-2020-5398Oracle Retail Bulk Data IntegrationBDI Job Scheduler (Spring Framework)HTTPYes7.5NetworkHighNoneRequiredUn-
changed
HighHighHigh16.0.3
CVE-2020-11979Oracle Retail Financial IntegrationPeopleSoft Integration (Apache Ant)HTTPYes7.5NetworkLowNoneNoneUn-
changed
NoneHighNone14.1.3, 15.0.3, 16.0.3
CVE-2020-11979Oracle Retail Integration BusRIB Kernal (Apache Ant)HTTPYes7.5NetworkLowNoneNoneUn-
changed
NoneHighNone14.1.3, 15.0.3, 16.0.3
CVE-2019-17566Oracle Retail Integration BusRIB Kernal (Apache Batik)HTTPYes7.5NetworkLowNoneNoneUn-
changed
NoneHighNone15.0.3
CVE-2019-17566Oracle Retail Order BrokerSystem Administration (Apache Batik)HTTPYes7.5NetworkLowNoneNoneUn-
changed
NoneHighNone15.0, 16.0
CVE-2020-11979Oracle Retail Service BackboneRSB kernel (Apache Ant)HTTPYes7.5NetworkLowNoneNoneUn-
changed
NoneHighNone14.1.3, 15.0.3, 16.0.3
CVE-2020-11979Oracle Retail Store Inventory ManagementSIM Integration (Apache Ant)HTTPYes7.5NetworkLowNoneNoneUn-
changed
NoneHighNone14.1.3.9, 15.0.3.0, 16.0.3.0
CVE-2019-10086Oracle Retail Financial IntegrationPeopleSoft Integration (Apache Commons BeanUtils)HTTPYes7.3NetworkLowNoneNoneUn-
changed
LowLowLow14.1.3, 15.0.3, 16.0.3
CVE-2019-10086Oracle Retail Integration BusRIB Kernal (Apache Commons BeanUtils)HTTPYes7.3NetworkLowNoneNoneUn-
changed
LowLowLow14.1.3, 15.0.3, 16.0.3
CVE-2019-10086Oracle Retail Order BrokerSystem Administration (Apache Commons BeanUtils)HTTPYes7.3NetworkLowNoneNoneUn-
changed
LowLowLow15.0
CVE-2019-10086Oracle Retail Service BackboneRSB kernel (Apache Commons BeanUtils)HTTPYes7.3NetworkLowNoneNoneUn-
changed
LowLowLow14.1.3, 15.0.3, 16.0.3
CVE-2020-9484Oracle Retail Order BrokerSystem Administration (Apache Tomcat)NoneNo7.0LocalHighLowNoneUn-
changed
HighHighHigh15.0
CVE-2020-5421Oracle Retail Assortment PlanningApplication Core (Spring Framework)HTTPNo6.5NetworkHighLowRequiredChangedLowHighNone16.0.3
CVE-2020-5421Oracle Retail Financial IntegrationPeopleSoft Integration (Spring Framework)HTTPNo6.5NetworkHighLowRequiredChangedHighLowNone14.1.3, 15.0.3, 16.0.3
CVE-2020-5421Oracle Retail Integration BusRIB Kernal (Spring Framework)HTTPNo6.5NetworkHighLowRequiredChangedHighLowNone14.1.3, 15.0.3, 16.0.3
CVE-2020-5421Oracle Retail Invoice MatchingSecurity (Spring Framework)HTTPNo6.5NetworkHighLowRequiredChangedHighLowNone14.0, 14.1
CVE-2020-5421Oracle Retail Service BackboneRSB kernel (Spring Framework)HTTPNo6.5NetworkHighLowRequiredChangedHighLowNone14.1.3, 15.0.3, 16.0.3
CVE-2021-2057Oracle Retail Customer Management and Segmentation FoundationInternal OperationsHTTPNo6.3NetworkLowLowNoneUn-
changed
LowLowLow19.0
CVE-2019-17091Oracle Retail Bulk Data IntegrationBDI Job Scheduler (Eclipse Mojarra)HTTPYes6.1NetworkLowNoneRequiredChangedLowLowNone16.0.3
CVE-2020-13954Oracle Retail Order Broker Cloud ServiceSupplier Direct Fulfillment (Apache CXF)HTTPYes6.1NetworkLowNoneRequiredChangedLowLowNone15.0
CVE-2019-17091Oracle Retail Store Inventory ManagementSIM Integration (Eclipse Mojarra)HTTPYes6.1NetworkLowNoneRequiredChangedLowLowNone14.0.4.0, 14.1.3.0, 15.0.3.0, 16.0.3.0
CVE-2020-17521Oracle Retail Bulk Data IntegrationBDI Job Scheduler (Apache Groovy)NoneNo5.5LocalLowLowNoneUn-
changed
HighNoneNone15.0.3, 16.0.3
CVE-2020-17521Oracle Retail Financial IntegrationPeopleSoft Integration Bugs (Apache Groovy)NoneNo5.5LocalLowLowNoneUn-
changed
HighNoneNone15.0.3, 16.0.3
CVE-2020-17521Oracle Retail Integration BusRIB Kernal (Apache Groovy)NoneNo5.5LocalLowLowNoneUn-
changed
HighNoneNone15.0.3, 16.0.3
CVE-2020-17521Oracle Retail Service BackboneRSB kernel (Apache Groovy)NoneNo5.5LocalLowLowNoneUn-
changed
HighNoneNone15.0.3, 16.0.3
CVE-2020-9488Oracle Retail Customer Management and Segmentation FoundationPromotions (Apache Log4j)HTTPYes3.7NetworkHighNoneNoneUn-
changed
LowNoneNone16.0, 17.0, 18.0, 19.0

Additional CVEs addressed are:

  • The patch for CVE-2020-1945 also addresses CVE-2017-5645.
  • The patch for CVE-2020-5398 also addresses CVE-2020-5421.
  • The patch for CVE-2020-9546 also addresses CVE-2020-10650, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-11619, CVE-2020-11620, CVE-2020-9547 and CVE-2020-9548.

Oracle Siebel CRM Risk Matrix

This Critical Patch Update contains 4 new security patches for Oracle Siebel CRM. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#ProductComponentProtocolRemote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)Supported Versions AffectedNotes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
ScopeConfid-
entiality
Inte-
grity
Avail-
ability
CVE-2021-2039Siebel Core - Server FrameworkSearchHTTPNo7.6NetworkLowLowRequiredChangedHighLowNone20.12 and prior
CVE-2020-9484Siebel UI FrameworkEAI (Apache Tomcat)NoneNo7.0LocalHighLowNoneUn-
changed
HighHighHigh20.12 and prior
CVE-2020-11022Siebel Mobile AppOpen UI (jQuery)HTTPYes6.1NetworkLowNoneRequiredChangedLowLowNone20.12 and prior
CVE-2021-2004Siebel Core - Server BizLogic ScriptIntegration - ScriptingHTTPNo4.3NetworkLowLowNoneUn-
changed
LowNoneNone20.12 and prior

Additional CVEs addressed are:

  • The patch for CVE-2020-11022 also addresses CVE-2020-11023.
  • The patch for CVE-2020-9484 also addresses CVE-2020-11996, CVE-2020-13934, CVE-2020-13935, CVE-2020-1935 and CVE-2020-9488.

Oracle Supply Chain Risk Matrix

This Critical Patch Update contains 11 new security patches for Oracle Supply Chain. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#ProductComponentProtocolRemote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)Supported Versions AffectedNotes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
ScopeConfid-
entiality
Inte-
grity
Avail-
ability
CVE-2021-2102Oracle Complex Maintenance, Repair, and OverhaulDialog BoxHTTPYes8.2NetworkLowNoneRequiredChangedHighLowNone11.5.10, 12.1, 12.2
CVE-2021-2103Oracle Complex Maintenance, Repair, and OverhaulDialog BoxHTTPYes8.2NetworkLowNoneRequiredChangedHighLowNone11.5.10, 12.1, 12.2
CVE-2021-2104Oracle Complex Maintenance, Repair, and OverhaulDialog BoxHTTPYes8.2NetworkLowNoneRequiredChangedHighLowNone11.5.10, 12.1, 12.2
CVE-2021-2078Oracle ConfiguratorUI ServletHTTPYes8.2NetworkLowNoneRequiredChangedHighLowNone12.1, 12.2
CVE-2021-2079Oracle ConfiguratorUI ServletHTTPYes8.2NetworkLowNoneRequiredChangedHighLowNone12.1, 12.2
CVE-2021-2080Oracle ConfiguratorUI ServletHTTPYes8.2NetworkLowNoneRequiredChangedHighLowNone12.1, 12.2
CVE-2020-14195Oracle Agile PLMSecurity (jackson-databind)HTTPYes8.1NetworkHighNoneNoneUn-
changed
HighHighHigh9.3.6
CVE-2019-17563Oracle Agile Engineering Data ManagementInstall (Apache Tomcat)HTTPYes7.5NetworkHighNoneRequiredUn-
changed
HighHighHigh6.2.1.0
CVE-2020-9281Oracle Agile PLMSecurity (CKEditor)HTTPYes6.1NetworkLowNoneRequiredChangedLowLowNone9.3.5, 9.3.6
CVE-2019-11358Oracle Agile Product Lifecycle Management for ProcessInstallation (jQuery)HTTPYes6.1NetworkLowNoneRequiredChangedLowLowNone6.1
CVE-2019-11358Oracle Transportation ManagementInstall (jQuery)HTTPYes6.1NetworkLowNoneRequiredChangedLowLowNone1.4.3

Additional CVEs addressed are:

  • The patch for CVE-2019-11358 also addresses CVE-2020-11022 and CVE-2020-11023.
  • The patch for CVE-2019-17563 also addresses CVE-2019-17569, CVE-2020-1935, CVE-2020-1938 and CVE-2020-9484.
  • The patch for CVE-2020-14195 also addresses CVE-2020-10650, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-14060, CVE-2020-14061, CVE-2020-14062, CVE-2020-24616, CVE-2020-24750, CVE-2020-9546, CVE-2020-9547 and CVE-2020-9548.

Oracle Systems Risk Matrix

This Critical Patch Update contains 4 new security patches for Oracle Systems. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Download The Surveyor For Mac 8.0.7
CVE#ProductComponentProtocolRemote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)Supported Versions AffectedNotes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
ScopeConfid-
entiality
Inte-
grity
Avail-
ability
CVE-2020-11984Oracle ZFS Storage Appliance KitOperating System ImageMultipleYes9.8NetworkLowNoneNoneUn-
changed
HighHighHigh8.8
CVE-2020-11022StorageTek Tape Analytics SW ToolSoftware (jQuery)HTTPYes6.1NetworkLowNoneRequiredChangedLowLowNone2.3.1
CVE-2021-1999Oracle ZFS Storage Appliance KitRAS subsystemsNoneNo5.0LocalHighHighRequiredChangedNoneHighNone8.8
CVE-2020-9488StorageTek Tape Analytics SW ToolSoftware (Apache Log4j)HTTPYes3.7NetworkHighNoneNoneUn-
changed
LowNoneNone2.3.1

Additional CVEs addressed are:

Download The Surveyor for Mac 8.0.7 full

Download The Surveyor For Mac 8.0.7 Full

  • The patch for CVE-2020-11022 also addresses CVE-2020-11023.
  • The patch for CVE-2020-11984 also addresses CVE-2018-20781, CVE-2019-11135, CVE-2019-20892, CVE-2019-20907, CVE-2020-11985, CVE-2020-11993, CVE-2020-13254, CVE-2020-13596, CVE-2020-13871, CVE-2020-14422, CVE-2020-15025, CVE-2020-15358, CVE-2020-17498, CVE-2020-24583, CVE-2020-24584, CVE-2020-25862, CVE-2020-25863, CVE-2020-25866, CVE-2020-26575, CVE-2020-9490 and CVE-2021-1999.

Oracle Utilities Applications Risk Matrix

This Critical Patch Update contains 1 new security patch for Oracle Utilities Applications. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#ProductComponentProtocolRemote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)Supported Versions AffectedNotes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
ScopeConfid-
entiality
Inte-
grity
Avail-
ability
CVE-2020-2555Oracle Utilities FrameworkGeneral (Oracle Coherence)HTTPYes9.8NetworkLowNoneNoneUn-
changed
HighHighHigh4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0-4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0

Oracle Virtualization Risk Matrix

This Critical Patch Update contains 17 new security patches for Oracle Virtualization. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#ProductComponentProtocolRemote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)Supported Versions AffectedNotes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
ScopeConfid-
entiality
Inte-
grity
Avail-
ability
CVE-2021-2074Oracle VM VirtualBoxCoreNoneNo8.2LocalLowHighNoneChangedHighHighHighPrior to 6.1.18
CVE-2021-2129Oracle VM VirtualBoxCoreNoneNo7.9LocalLowHighNoneChangedHighHighNonePrior to 6.1.18
CVE-2021-2128Oracle VM VirtualBoxCoreNoneNo6.5LocalLowLowNoneChangedHighNoneNonePrior to 6.1.18
CVE-2021-2086Oracle VM VirtualBoxCoreNoneNo6.0LocalLowHighNoneChangedNoneNoneHighPrior to 6.1.18
CVE-2021-2111Oracle VM VirtualBoxCoreNoneNo6.0LocalLowHighNoneChangedNoneNoneHighPrior to 6.1.18
CVE-2021-2112Oracle VM VirtualBoxCoreNoneNo6.0LocalLowHighNoneChangedNoneNoneHighPrior to 6.1.18
CVE-2021-2121Oracle VM VirtualBoxCoreNoneNo6.0LocalLowHighNoneChangedNoneNoneHighPrior to 6.1.18
CVE-2021-2124Oracle VM VirtualBoxCoreNoneNo6.0LocalLowHighNoneChangedNoneNoneHighPrior to 6.1.18
CVE-2021-2119Oracle VM VirtualBoxCoreNoneNo6.0LocalLowHighNoneChangedHighNoneNonePrior to 6.1.18
CVE-2021-2120Oracle VM VirtualBoxCoreNoneNo6.0LocalLowHighNoneChangedHighNoneNonePrior to 6.1.18
CVE-2021-2126Oracle VM VirtualBoxCoreNoneNo6.0LocalLowHighNoneChangedNoneHighNonePrior to 6.1.18
CVE-2021-2131Oracle VM VirtualBoxCoreNoneNo6.0LocalLowHighNoneChangedNoneHighNonePrior to 6.1.18
CVE-2021-2125Oracle VM VirtualBoxCoreNoneNo4.6LocalLowHighNoneChangedLowLowNonePrior to 6.1.18
CVE-2021-2073Oracle VM VirtualBoxCoreNoneNo4.4LocalLowHighNoneUn-
changed
NoneNoneHighPrior to 6.1.18
CVE-2021-2127Oracle VM VirtualBoxCoreNoneNo4.4LocalLowHighNoneUn-
changed
NoneNoneHighPrior to 6.1.18
CVE-2021-2130Oracle VM VirtualBoxCoreNoneNo4.4LocalLowHighNoneUn-
changed
NoneNoneHighPrior to 6.1.18
CVE-2021-2123Oracle VM VirtualBoxCoreNoneNo3.2LocalLowHighNoneChangedLowNoneNonePrior to 6.1.18

Download Sun Surveyor Lite PC for free at BrowserCam. Adam Ratana published Sun Surveyor Lite for Android operating system mobile devices, but it is possible to download and install Sun Surveyor Lite for PC or Computer with operating systems such as Windows 7, 8, 8.1, 10 and Mac.

Let's find out the prerequisites to install Sun Surveyor Lite on Windows PC or MAC computer without much delay.

Select an Android emulator: There are many free and paid Android emulators available for PC and MAC, few of the popular ones are Bluestacks, Andy OS, Nox, MeMu and there are more you can find from Google.

Compatibility: Before downloading them take a look at the minimum system requirements to install the emulator on your PC.

Download The Surveyor For Mac 8.0.7

For example, BlueStacks requires OS: Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Vista SP2, Windows XP SP3 (32-bit only), Mac OS Sierra(10.12), High Sierra (10.13) and Mojave(10.14), 2-4GB of RAM, 4GB of disk space for storing Android apps/games, updated graphics drivers.

Finally, download and install the emulator which will work well with your PC's hardware/software.

How to Download and Install Sun Surveyor Lite for PC or MAC:

  • Open the emulator software from the start menu or desktop shortcut in your PC.
  • Associate or set up your Google account with the emulator.
  • You can either install the app from Google PlayStore inside the emulator or download Sun Surveyor Lite APK file and open the APK file with the emulator or drag the file into the emulator window to install Sun Surveyor Lite for PC.

You can follow above instructions to install Sun Surveyor Lite for PC with any of the Android emulators available.