Purpose

This document contains January 2016 Critical Patch Update, Patch Availability information for Oracle Supply Chain Suite
Products.

Scope
This Critical Patch Update knowledge document applies to the following Supply Chain Suite Products:

Oracle Agile Engineering Data Management 6.1.2.2, 6.1.3.0, 6.2 0.0

Oracle Configurator 11.5.10.2, 12.1, 12.2

Oracle Agile PLM 9.3.1.2, 9.3.1.2, 9.3.2, 9.3.3

The tables and documentation below list the patches needed for the products noted above to address identified security
vulnerabilities and provide information on downloading and applying the recommended patches.

Patch Availability Information

Oracle Agile Engineering Data Management
Details of January 2016 Critical Patch Update patches for Oracle Transportation Management are as follows:
Customers using the following Oracle Transportation Management are supported for January 2016 Critical Patch Update
and should apply the applicable patches listed in this document: 6.1.2.2, 6.1.3.0, 6.2.0.0

Release 6.1.2.2
Release 6.1.3.0
Release 6.2.0.0

CVE-2016-0497 Vulnerability in the Oracle Agile Engineering Data Management component of Oracle Supply Chain Products Suite
(subcomponent: Web Client). Supported versions that are affected are 6.1.2.2, 6.1.3.0 and 6.2.0.0. Difficult to exploit vulnerability
allows successful unauthenticated network attacks via HTTP. Successful attack of this vulnerability can result in unauthorized update,
insert or delete access to some Oracle Agile Engineering Data Management accessible data. CVSS Base Score 4.3 (Integrity
impacts). CVSS V2 Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N). (legend) [Advisory]

CVE-2016-0498 Vulnerability in the Oracle Agile Engineering Data Management component of Oracle Supply Chain Products Suite
(subcomponent: Install). Supported versions that are affected are 6.1.2.2, 6.1.3.0 and 6.2.0.0. Difficult to exploit vulnerability requiring
logon to Operating System plus additional login/authentication to component or subcomponent. Successful attack of this vulnerability
can escalate attacker privileges resulting in unauthorized read access to all Oracle Agile Engineering Data Management accessible
data. CVSS Base Score 1.5 (Confidentiality impacts). CVSS V2 Vector: (AV:L/AC:M/Au:S/C:P/I:N/A:N). (legend) [Advisory]

Oracle Supply Chain Products Suite Risk Matrix Oracle Agile Engineering Data
Management

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Remote
Supported
SubExploit
Protocol
Versions No
component without Base Access
Access
Authen- ConfidenAvailAffected
Integrity
Auth.? Score Vector Complexity tication
tiality
ability

CVE#

Component

CVE2016-0497
20919824

Oracle Agile
Engineering
Data
Management

HTTP

Web Client

Yes

4.3

Network

Medium

None

None

Partial

None

6.1.2.2,
6.1.3.0,
6.2.0.0

CVE2016-0498
21434813

Oracle Agile
Engineering
Data
Management

None

Install

No

1.5

Local

Medium

Single

Partial+

None

None

6.1.2.2,
6.1.3.0,
6.2.0.0

Patch Availability for Oracle Agile Engineering Data Management (version 6.1.2.2, 6.1.3.0,
6.2.0.0)
Patches for CVE-2016-:
Version 6.1.3.0: Patch # 21809841; ARU (19735065) for the following platforms
o IBM AIX on POWER Systems (64-bit)
o Linux x86-64
o Oracle Solaris on SPARC (64-bit)
o Microsoft Windows (32-bit)
o Microsoft Windows x64 (64-bit)
Version 6.2.0.0: Patch # 21809849; ARU (19744597) for the following platforms
o IBM AIX on POWER Systems (64-bit)
o HP-UX Itanium
o Linux x86-64
o Oracle Solaris on SPARC (64-bit)
o Microsoft Windows x64 (64-bit)
Patches for CVE-2016-0498:
Version 6.2.0.0: Patch # 21901676; ARU (19596656) for the following platforms
o IBM AIX on POWER Systems (64-bit)
o HP-UX Itanium: ARU
o Linux x86-64 ARU
o Oracle Solaris on SPARC (64-bit)
o Microsoft Windows x64 (64-bit)

Oracle Configurator
Details of January 2016 Critical Patch Update patches for Oracle Agile PLM are as follows:
Customers using the following Oracle Configurator are supported for January 2016 Critical Patch Update and should
apply the applicable patches listed in this document:

Release 11.5.10.2
Release 12.1
Release 12.2

CVE-2016-0540 Vulnerability in the Oracle Configurator component of Oracle Supply Chain Products Suite (subcomponent: UI
Servlet). Supported versions that are affected are 11.5.10.2, 12.1 and 12.2. Easily exploitable vulnerability allows successful
unauthenticated network attacks via HTTP. Successful attack of this vulnerability can result in unauthorized read access to a subset of
Oracle Configurator accessible data. CVSS Base Score 5.0 (Confidentiality impacts). CVSS V2 Vector:
(AV:N/AC:L/Au:N/C:P/I:N/A:N). (legend) [Advisory]
CVE-2016-0541 Vulnerability in the Oracle Configurator component of Oracle Supply Chain Products Suite (subcomponent: UI
Servlet). Supported versions that are affected are 11.5.10.2, 12.1 and 12.2. Easily exploitable vulnerability allows successful
unauthenticated network attacks via HTTP. Successful attack of this vulnerability can result in unauthorized read access to a subset of
Oracle Configurator accessible data. CVSS Base Score 5.0 (Confidentiality impacts). CVSS V2 Vector:
(AV:N/AC:L/Au:N/C:P/I:N/A:N). (legend) [Advisory]

Oracle Supply Chain Products Suite Risk Matrix Oracle Configurator

CVE#

Remote
SubExploit
Component Protocol
component without
Auth.?

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported
Versions No
Base Access
Access
Authen- ConfidenAvailAffected
Integrity
Score Vector Complexity tication
tiality
ability

CVE-2016Oracle
0540
Configurator
22190153

HTTP

UI Servlet

Yes

5.0

Network

Low

None

Partial

None

None

11.5.10.2,
12.1, 12.2

CVE-2016Oracle
0541
Configurator
22190168

HTTP

UI Servlet

Yes

5.0

Network

Low

None

Partial

None

None

11.5.10.2,
12.1, 12.2

Patch Availability for Oracle Oracle Configurator (version 11.5.10.2, 12.1, 12.2)
Patches for CVE-2016-0540:
Version 11.5.10.2 Patch 22190153, ARU (22190153:11i10)
Version 12.1.1. Patch 22190153, ARU (22190153:R12.CZ.B)
Version 12.2.3 Patch 22190153, ARU (22190153:R12.CZ.C)
Patches for CVE-2016-0541:
Version 12.1.1 Patch 22190168, ARU (22190168:R12.CZ.B)
Version 12.2.3 Patch 22190168, ARU (22190168:R12.CZ.B)

Oracle Agile PLM

Details of January 2016 Critical Patch Update patches for Oracle Agile PLM are as follows:
Customers using the following Oracle Agile PLM are supported for October 2015 Critical Patch Update and should apply
the applicable patches listed in this document:

Release 9.3.1.1
Release 9.3.1.2
Release 9.3.2
Release 9.3.3

CVE-2015-4924 Vulnerability in the Oracle Agile PLM component of Oracle Supply Chain Products Suite (subcomponent: Security).
Supported versions that are affected are 9.3.1.1, 9.3.1.2, 9.3.2 and 9.3.3. Difficult to exploit vulnerability allows successful authenticated
network attacks via HTTP. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some
Oracle Agile PLM accessible data. CVSS Base Score 3.5 (Integrity impacts). CVSS V2 Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N).
(legend) [Advisory]

Oracle Supply Chain Products Suite Risk Matrix Oracle Agile PLM

CVE#

Remote
SubExploit
Component Protocol
component without
Auth.?

CVE-2015Oracle Agile
4924
PLM
18397205

HTTP

Security

No

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)

Supported
Versions No
Base Access
Access
Authen- ConfidenAvailAffected
Integrity
Score Vector Complexity tication
tiality
ability

3.5

Network

Medium

Single

None

Partial

None

9.3.1.1,
9.3.1.2,
9.3.2, 9.3.3

Patch Availability for Oracle Agile PLM (version 9.3.1.1, 9.3.1.2, 9.3.2, 9.3.3)
Patches for CVE-2015-4924:
Version 9.3.1.1 Patch 22482717, ARU (19725069)
Version 9.3.1.2 Patch 22482798, ARU (19725316)
Version 9.3.2 Patch 22487483, ARU (19728315)
Version 9.3.3 Patch 21557560, ARU (19207983)

**Note: Some patches may require a password for download. Please contact Oracle Support for that information.

Please read the appropriate readme documentation and apply the recommended patches
accordingly.