Vulnerability Name: CVE-2016-0635 (CCN-115173) Assigned: 2015-12-09 Published: 2016-07-19 Updated: 2019-04-23 Summary: Unspecified vulnerability in the Enterprise Manager Ops Center component in Oracle Enterprise Manager Grid Control 12.1.4, 12.2.2, and 12.3.2; the Oracle Health Sciences Information Manager component in Oracle Health Sciences Applications 1.2.8.3, 2.0.2.3, and 3.0.1.0; the Oracle Healthcare Master Person Index component in Oracle Health Sciences Applications 2.0.12, 3.0.0, and 4.0.1; the Oracle Documaker component in Oracle Insurance Applications before 12.5; the Oracle Insurance Calculation Engine component in Oracle Insurance Applications 9.7.1, 10.1.2, and 10.2.2; the Oracle Insurance Policy Administration J2EE and Oracle Insurance Rules Palette components in Oracle Insurance Applications 9.6.1, 9.7.1, 10.0.1, 10.1.2, 10.2.0, and 10.2.2; the Oracle Retail Integration Bus component in Oracle Retail Applications 15.0; the Oracle Retail Order Broker component in Oracle Retail Applications 5.1, 5.2, and 15.0; the Primavera Contract Management component in Oracle Primavera Products Suite 14.2; the Primavera P6 Enterprise Project Portfolio Management component in Oracle Primavera Products Suite 8.2, 8.3, 8.4, 15.1, 15.2, and 16.1; the Oracle Financial Services Analytical Applications Infrastructure component in Oracle Financial Services Applications 8.0.0, 8.0.1, 8.0.2, and 8.0.3; the Oracle Commerce Guided Search / Oracle Commerce Experience Manager component in Oracle Commerce 3.1.1, 3.1.2, 11.0, 11.1, and 11.2; the Oracle Agile PLM component in Oracle Supply Chain Products Suite 9.3.4 and 9.3.5; the Oracle Communications BRM - Elastic Charging Engine 11.2.0.0.0 and 11.3.0.0.0; the Oracle Enterprise Repository Enterprise Repository 12.1.3.0.0; the Oracle Financial Services Behavior Detection Platform 8.0.1 and 8.0.2; the Oracle Hyperion Essbase 12.2.1.1; the Oracle Tuxedo System and Applications Monitor (TSAM) 11.1.1.2.0, 11.1.1.2.1, 11.1.1.2.1, 12.1.1.1.0, 12.1.3.0.0, and 12.2.2.0.0; the Oracle Communications WebRTC Session Controller component of Oracle Communications Applications (subcomponent: Security (Spring)) 7.0, 7.1 and 7.2; the Oracle Endeca Information Discovery Integrator 3.2; the Converged Commerce component of Oracle Retail Applications 16.0.1; the Oracle Identity Manager 11.1.2.3.0; Oracle Enterprise Manager for MySQL Database 12.1.0.4; Oracle Retail Invoice Matching 12.0, 13.0, 13.1, 13.2, 14.0, and 14.1; Oracle Communications Performance Intelligence Center (PIC) Software Prior to 10.2.1 and the Oracle Knowledge component of Oracle Siebel CRM (subcomponent: AnswerFlow (Spring Framework)) version 8.5.1.0 - 8.5.1.7 and 8.6.0 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors. CVSS v3 Severity: 8.8 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 7.7 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): LowUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): HighIntegrity (I): HighAvailibility (A): High
8.8 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 7.7 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): LowUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): HighIntegrity (I): HighAvailibility (A): High
CVSS v2 Severity: 9.0 High (CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAuthentication (Au): Single_InstanceImpact Metrics: Confidentiality (C): CompleteIntegrity (I): CompleteAvailibility (A): Complete
9.0 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAthentication (Au): Single_InstanceImpact Metrics: Confidentiality (C): CompleteIntegrity (I): CompleteAvailibility (A): Complete
Vulnerability Type: CWE-noinfo Vulnerability Consequences: Gain Access References: Source: MITRECVE-2016-0635 Oracle Critical Patch Update Advisory - April 2017 http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html Oracle Critical Patch Update Advisory - April 2018 http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html Oracle Critical Patch Update Advisory - April 2019 Oracle Critical Patch Update Advisory - January 2017 Oracle Critical Patch Update Advisory - January 2018 http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html Oracle Critical Patch Update Advisory - January 2019 Oracle Critical Patch Update Advisory - July 2016 http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html Oracle Critical Patch Update Advisory - July 2017 http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html Oracle Critical Patch Update Advisory - October 2016 http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html Oracle Critical Patch Update Advisory - October 2017 http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html Oracle Critical Patch Update Advisory - October 2018 http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html 91787 Oracle July 2016 Critical Patch Update Multiple Vulnerabilities 91869 Multiple Oracle Products CVE-2016-0635 Remote Security Vulnerability 1036377 1036378 1036393 1036397 1037640 oracle-cpujul2016-cve20160635(115173) https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html Vulnerable Configuration: Configuration 1 :cpe:/a:oracle:documaker:*:*:*:*:*:*:*:* (Version <= 12.5)OR cpe:/a:oracle:enterprise_manager_ops_center:12.1.4:*:*:*:*:*:*:* OR cpe:/a:oracle:enterprise_manager_ops_center:12.2.2:*:*:*:*:*:*:* OR cpe:/a:oracle:enterprise_manager_ops_center:12.3.2:*:*:*:*:*:*:* OR cpe:/a:oracle:health_sciences_information_manager:1.2.8.3:*:*:*:*:*:*:* OR cpe:/a:oracle:health_sciences_information_manager:2.0.2.3:*:*:*:*:*:*:* OR cpe:/a:oracle:health_sciences_information_manager:3.0.1.0:*:*:*:*:*:*:* OR cpe:/a:oracle:healthcare_master_person_index:2.0.12:*:*:*:*:*:*:* OR cpe:/a:oracle:healthcare_master_person_index:3.0.0:*:*:*:*:*:*:* OR cpe:/a:oracle:healthcare_master_person_index:4.0.1:*:*:*:*:*:*:* OR cpe:/a:oracle:insurance_calculation_engine:9.7.1:*:*:*:*:*:*:* OR cpe:/a:oracle:insurance_calculation_engine:10.1.2:*:*:*:*:*:*:* OR cpe:/a:oracle:insurance_calculation_engine:10.2.2:*:*:*:*:*:*:* OR cpe:/a:oracle:insurance_policy_administration_j2ee:9.6.1:*:*:*:*:*:*:* OR cpe:/a:oracle:insurance_policy_administration_j2ee:9.7.1:*:*:*:*:*:*:* OR cpe:/a:oracle:insurance_policy_administration_j2ee:10.0.1:*:*:*:*:*:*:* OR cpe:/a:oracle:insurance_policy_administration_j2ee:10.1.2:*:*:*:*:*:*:* OR cpe:/a:oracle:insurance_policy_administration_j2ee:10.2.0:*:*:*:*:*:*:* OR cpe:/a:oracle:insurance_policy_administration_j2ee:10.2.2:*:*:*:*:*:*:* OR cpe:/a:oracle:insurance_rules_palette:9.6.1:*:*:*:*:*:*:* OR cpe:/a:oracle:insurance_rules_palette:9.7.1:*:*:*:*:*:*:* OR cpe:/a:oracle:insurance_rules_palette:10.0.1:*:*:*:*:*:*:* OR cpe:/a:oracle:insurance_rules_palette:10.1.2:*:*:*:*:*:*:* OR cpe:/a:oracle:insurance_rules_palette:10.2.0:*:*:*:*:*:*:* OR cpe:/a:oracle:insurance_rules_palette:10.2.2:*:*:*:*:*:*:* OR cpe:/a:oracle:primavera_contract_management:14.2:*:*:*:*:*:*:* OR cpe:/a:oracle:primavera_p6_enterprise_project_portfolio_management:8.2:*:*:*:*:*:*:* OR cpe:/a:oracle:primavera_p6_enterprise_project_portfolio_management:8.3:*:*:*:*:*:*:* OR cpe:/a:oracle:primavera_p6_enterprise_project_portfolio_management:8.4:*:*:*:*:*:*:* OR cpe:/a:oracle:primavera_p6_enterprise_project_portfolio_management:15.1:*:*:*:*:*:*:* OR cpe:/a:oracle:primavera_p6_enterprise_project_portfolio_management:15.2:*:*:*:*:*:*:* OR cpe:/a:oracle:primavera_p6_enterprise_project_portfolio_management:16.1:*:*:*:*:*:*:* OR cpe:/a:oracle:retail_integration_bus:15.0:*:*:*:*:*:*:* OR cpe:/a:oracle:retail_order_broker_cloud_service:5.1:*:*:*:*:*:*:* OR cpe:/a:oracle:retail_order_broker_cloud_service:5.2:*:*:*:*:*:*:* OR cpe:/a:oracle:retail_order_broker_cloud_service:15.0:*:*:*:*:*:*:* Configuration CCN 1 :cpe:/a:oracle:retail_assortment_planning:14.1:*:*:*:*:*:*:* OR cpe:/a:oracle:retail_assortment_planning:15.0:*:*:*:*:*:*:* OR cpe:/a:oracle:retail_predictive_application_server:14.0:*:*:*:*:*:*:* OR cpe:/a:oracle:retail_predictive_application_server:14.1:*:*:*:*:*:*:* OR cpe:/a:oracle:retail_predictive_application_server:15.0:*:*:*:*:*:*:* OR cpe:/a:oracle:flexcube_private_banking:12.0.1:*:*:*:*:*:*:* OR cpe:/a:oracle:flexcube_private_banking:12.0.2:*:*:*:*:*:*:* OR cpe:/a:oracle:flexcube_private_banking:12.0.3:*:*:*:*:*:*:* OR cpe:/a:oracle:flexcube_private_banking:12.1.0:*:*:*:*:*:*:* OR cpe:/a:oracle:endeca_information_discovery_integrator:3.2.0:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_webrtc_session_controller:7.0:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_webrtc_session_controller:7.1:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_webrtc_session_controller:7.2:*:*:*:*:*:*:* OR cpe:/a:oracle:identity_manager:11.1.2.3.0:*:*:*:*:*:*:* OR cpe:/a:oracle:retail_back_office:14.1:*:*:*:*:*:*:* OR cpe:/a:oracle:retail_invoice_matching:12.0:*:*:*:*:*:*:* OR cpe:/a:oracle:retail_invoice_matching:13.0:*:*:*:*:*:*:* OR cpe:/a:oracle:retail_invoice_matching:13.1:*:*:*:*:*:*:* OR cpe:/a:oracle:retail_invoice_matching:13.2:*:*:*:*:*:*:* OR cpe:/a:oracle:retail_invoice_matching:14.0:*:*:*:*:*:*:* OR cpe:/a:oracle:retail_invoice_matching:14.1:*:*:*:*:*:*:* OR cpe:/a:oracle:retail_point-of-service:14.1.3:*:*:*:*:*:*:* OR cpe:/a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:* OR cpe:/a:oracle:enterprise_repository:12.1.3.0.0:*:*:*:*:*:*:* BACK
oracle documaker *
oracle enterprise manager ops center 12.1.4
oracle enterprise manager ops center 12.2.2
oracle enterprise manager ops center 12.3.2
oracle health sciences information manager 1.2.8.3
oracle health sciences information manager 2.0.2.3
oracle health sciences information manager 3.0.1.0
oracle healthcare master person index 2.0.12
oracle healthcare master person index 3.0.0
oracle healthcare master person index 4.0.1
oracle insurance calculation engine 9.7.1
oracle insurance calculation engine 10.1.2
oracle insurance calculation engine 10.2.2
oracle insurance policy administration j2ee 9.6.1
oracle insurance policy administration j2ee 9.7.1
oracle insurance policy administration j2ee 10.0.1
oracle insurance policy administration j2ee 10.1.2
oracle insurance policy administration j2ee 10.2.0
oracle insurance policy administration j2ee 10.2.2
oracle insurance rules palette 9.6.1
oracle insurance rules palette 9.7.1
oracle insurance rules palette 10.0.1
oracle insurance rules palette 10.1.2
oracle insurance rules palette 10.2.0
oracle insurance rules palette 10.2.2
oracle primavera contract management 14.2
oracle primavera p6 enterprise project portfolio management 8.2
oracle primavera p6 enterprise project portfolio management 8.3
oracle primavera p6 enterprise project portfolio management 8.4
oracle primavera p6 enterprise project portfolio management 15.1
oracle primavera p6 enterprise project portfolio management 15.2
oracle primavera p6 enterprise project portfolio management 16.1
oracle retail integration bus 15.0
oracle retail order broker cloud service 5.1
oracle retail order broker cloud service 5.2
oracle retail order broker cloud service 15.0
oracle retail assortment planning 14.1
oracle retail assortment planning 15.0
oracle retail predictive application server 14.0
oracle retail predictive application server 14.1
oracle retail predictive application server 15.0
oracle flexcube private banking 12.0.1
oracle flexcube private banking 12.0.2
oracle flexcube private banking 12.0.3
oracle flexcube private banking 12.1.0
oracle endeca information discovery integrator 3.2.0
oracle communications webrtc session controller 7.0
oracle communications webrtc session controller 7.1
oracle communications webrtc session controller 7.2
oracle identity manager 11.1.2.3.0
oracle retail back office 14.1
oracle retail invoice matching 12.0
oracle retail invoice matching 13.0
oracle retail invoice matching 13.1
oracle retail invoice matching 13.2
oracle retail invoice matching 14.0
oracle retail invoice matching 14.1
oracle retail point-of-service 14.1.3
oracle retail returns management 14.1
oracle enterprise repository 12.1.3.0.0
Denotes that component is vulnerable