Documente Academic
Documente Profesional
Documente Cultură
This document contains January 2016 Critical Patch Update, Patch Availability information for Oracle Supply Chain Suite
Products.
Scope
This Critical Patch Update knowledge document applies to the following Supply Chain Suite Products:
The tables and documentation below list the patches needed for the products noted above to address identified security
vulnerabilities and provide information on downloading and applying the recommended patches.
Release 6.1.2.2
Release 6.1.3.0
Release 6.2.0.0
CVE-2016-0497 Vulnerability in the Oracle Agile Engineering Data Management component of Oracle Supply Chain Products Suite
(subcomponent: Web Client). Supported versions that are affected are 6.1.2.2, 6.1.3.0 and 6.2.0.0. Difficult to exploit vulnerability
allows successful unauthenticated network attacks via HTTP. Successful attack of this vulnerability can result in unauthorized update,
insert or delete access to some Oracle Agile Engineering Data Management accessible data. CVSS Base Score 4.3 (Integrity
impacts). CVSS V2 Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N). (legend) [Advisory]
CVE-2016-0498 Vulnerability in the Oracle Agile Engineering Data Management component of Oracle Supply Chain Products Suite
(subcomponent: Install). Supported versions that are affected are 6.1.2.2, 6.1.3.0 and 6.2.0.0. Difficult to exploit vulnerability requiring
logon to Operating System plus additional login/authentication to component or subcomponent. Successful attack of this vulnerability
can escalate attacker privileges resulting in unauthorized read access to all Oracle Agile Engineering Data Management accessible
data. CVSS Base Score 1.5 (Confidentiality impacts). CVSS V2 Vector: (AV:L/AC:M/Au:S/C:P/I:N/A:N). (legend) [Advisory]
Oracle Supply Chain Products Suite Risk Matrix Oracle Agile Engineering Data
Management
CVE#
Component
CVE2016-0497
20919824
Oracle Agile
Engineering
Data
Management
HTTP
Web Client
Yes
4.3
Network
Medium
None
None
Partial
None
6.1.2.2,
6.1.3.0,
6.2.0.0
CVE2016-0498
21434813
Oracle Agile
Engineering
Data
Management
None
Install
No
1.5
Local
Medium
Single
Partial+
None
None
6.1.2.2,
6.1.3.0,
6.2.0.0
Patch Availability for Oracle Agile Engineering Data Management (version 6.1.2.2, 6.1.3.0,
6.2.0.0)
Patches for CVE-2016-:
Version 6.1.3.0: Patch # 21809841; ARU (19735065) for the following platforms
o IBM AIX on POWER Systems (64-bit)
o Linux x86-64
o Oracle Solaris on SPARC (64-bit)
o Microsoft Windows (32-bit)
o Microsoft Windows x64 (64-bit)
Version 6.2.0.0: Patch # 21809849; ARU (19744597) for the following platforms
o IBM AIX on POWER Systems (64-bit)
o HP-UX Itanium
o Linux x86-64
o Oracle Solaris on SPARC (64-bit)
o Microsoft Windows x64 (64-bit)
Patches for CVE-2016-0498:
Version 6.2.0.0: Patch # 21901676; ARU (19596656) for the following platforms
o IBM AIX on POWER Systems (64-bit)
o HP-UX Itanium: ARU
o Linux x86-64 ARU
o Oracle Solaris on SPARC (64-bit)
o Microsoft Windows x64 (64-bit)
Oracle Configurator
Details of January 2016 Critical Patch Update patches for Oracle Agile PLM are as follows:
Customers using the following Oracle Configurator are supported for January 2016 Critical Patch Update and should
apply the applicable patches listed in this document:
Release 11.5.10.2
Release 12.1
Release 12.2
CVE-2016-0540 Vulnerability in the Oracle Configurator component of Oracle Supply Chain Products Suite (subcomponent: UI
Servlet). Supported versions that are affected are 11.5.10.2, 12.1 and 12.2. Easily exploitable vulnerability allows successful
unauthenticated network attacks via HTTP. Successful attack of this vulnerability can result in unauthorized read access to a subset of
Oracle Configurator accessible data. CVSS Base Score 5.0 (Confidentiality impacts). CVSS V2 Vector:
(AV:N/AC:L/Au:N/C:P/I:N/A:N). (legend) [Advisory]
CVE-2016-0541 Vulnerability in the Oracle Configurator component of Oracle Supply Chain Products Suite (subcomponent: UI
Servlet). Supported versions that are affected are 11.5.10.2, 12.1 and 12.2. Easily exploitable vulnerability allows successful
unauthenticated network attacks via HTTP. Successful attack of this vulnerability can result in unauthorized read access to a subset of
Oracle Configurator accessible data. CVSS Base Score 5.0 (Confidentiality impacts). CVSS V2 Vector:
(AV:N/AC:L/Au:N/C:P/I:N/A:N). (legend) [Advisory]
CVE#
Remote
SubExploit
Component Protocol
component without
Auth.?
Supported
Versions No
Base Access
Access
Authen- ConfidenAvailAffected
Integrity
Score Vector Complexity tication
tiality
ability
CVE-2016Oracle
0540
Configurator
22190153
HTTP
UI Servlet
Yes
5.0
Network
Low
None
Partial
None
None
11.5.10.2,
12.1, 12.2
CVE-2016Oracle
0541
Configurator
22190168
HTTP
UI Servlet
Yes
5.0
Network
Low
None
Partial
None
None
11.5.10.2,
12.1, 12.2
Patch Availability for Oracle Oracle Configurator (version 11.5.10.2, 12.1, 12.2)
Patches for CVE-2016-0540:
Version 11.5.10.2 Patch 22190153, ARU (22190153:11i10)
Version 12.1.1. Patch 22190153, ARU (22190153:R12.CZ.B)
Version 12.2.3 Patch 22190153, ARU (22190153:R12.CZ.C)
Patches for CVE-2016-0541:
Version 12.1.1 Patch 22190168, ARU (22190168:R12.CZ.B)
Version 12.2.3 Patch 22190168, ARU (22190168:R12.CZ.B)
Release 9.3.1.1
Release 9.3.1.2
Release 9.3.2
Release 9.3.3
CVE-2015-4924 Vulnerability in the Oracle Agile PLM component of Oracle Supply Chain Products Suite (subcomponent: Security).
Supported versions that are affected are 9.3.1.1, 9.3.1.2, 9.3.2 and 9.3.3. Difficult to exploit vulnerability allows successful authenticated
network attacks via HTTP. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some
Oracle Agile PLM accessible data. CVSS Base Score 3.5 (Integrity impacts). CVSS V2 Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N).
(legend) [Advisory]
Oracle Supply Chain Products Suite Risk Matrix Oracle Agile PLM
CVE#
Remote
SubExploit
Component Protocol
component without
Auth.?
CVE-2015Oracle Agile
4924
PLM
18397205
HTTP
Security
No
Supported
Versions No
Base Access
Access
Authen- ConfidenAvailAffected
Integrity
Score Vector Complexity tication
tiality
ability
3.5
Network
Medium
Single
None
Partial
None
9.3.1.1,
9.3.1.2,
9.3.2, 9.3.3
Patch Availability for Oracle Agile PLM (version 9.3.1.1, 9.3.1.2, 9.3.2, 9.3.3)
Patches for CVE-2015-4924:
Version 9.3.1.1 Patch 22482717, ARU (19725069)
Version 9.3.1.2 Patch 22482798, ARU (19725316)
Version 9.3.2 Patch 22487483, ARU (19728315)
Version 9.3.3 Patch 21557560, ARU (19207983)
**Note: Some patches may require a password for download. Please contact Oracle Support for that information.
Please read the appropriate readme documentation and apply the recommended patches
accordingly.