My Oracle Support Banner

Oracle Critical Patch Update (CPU) October 2019 for Core Siebel CRM (Doc ID 2600266.1)

Last updated on OCTOBER 15, 2019

Applies to:

Siebel CRM
Information in this document applies to any platform.

Purpose

Oracle provides Critical Patch Updates (CPU) to its customers to fix security vulnerabilities. This document defines and identifies the Oracle Siebel CRM patches and minimum releases that are required for the Oracle products to address the security vulnerabilities announced in the Advisory for October 2019.

Scope

October 2019 Critical Patch Update for Siebel Core CRM applications contains patches for the following security issues:

CVE-2018-8037 - Vulnerability in the Siebel UI Framework product of Oracle Siebel CRM (component: Customizable Prod/Configurator (Apache Tomcat)). Supported versions that are affected are 19.7 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Siebel UI Framework. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Siebel UI Framework accessible data. CVSS v3.0 Base Score 5.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory]

CVE-2019-11358 - Vulnerability in the Siebel Mobile Applications product of Oracle Siebel CRM (component: CG Mobile Connected (jQuery)). Supported versions that are affected are 19.8 and prior. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Siebel Mobile Applications. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Siebel Mobile Applications, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Siebel Mobile Applications accessible data as well as unauthorized read access to a subset of Siebel Mobile Applications accessible data. CVSS v3.0 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). (legend) [Advisory]

CVE-2019-2935 - Vulnerability in the Siebel UI Framework product of Oracle Siebel CRM (component: EAI). Supported versions that are affected are 19.8 and prior. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Siebel UI Framework. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Siebel UI Framework accessible data. CVSS v3.0 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). (legend) [Advisory]

CVE-2019-2965 - Vulnerability in the Siebel Core - DB Deployment and Configuration product of Oracle Siebel CRM (component: Install - Configuration). Supported versions that are affected are 19.8 and prior. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Siebel Core - DB Deployment and Configuration. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Siebel Core - DB Deployment and Configuration accessible data. CVSS v3.0 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory]

Details

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.