My Oracle Support Banner

Oracle Critical Patch Update (CPU) October 2020 for Siebel Core CRM (Doc ID 2711617.1)

Last updated on OCTOBER 20, 2020

Applies to:

Support Tools > My Oracle Support > My Oracle Support
Information in this document applies to any platform.

Purpose

Oracle provides Critical Patch Updates (CPU) to its customers to fix security vulnerabilities. This document defines and identifies the Siebel Core CRM patches and minimum releases that are required for the Oracle products to address the security vulnerabilities announced in the Advisory for October 2020.

Scope

October 2020 Critical Patch Update for Siebel Core CRM applications contains patches for the following security issues:

CVE-2016-1000031 Vulnerability in the Siebel Apps - Marketing product of Oracle Siebel CRM (component: Mktg/Email Mktg Stand-Alone (Apache Commons File Upload)). The supported version that is affected is 20.7. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Siebel Apps - Marketing. Successful attacks of this vulnerability can result in takeover of Siebel Apps - Marketing. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory]

CVE-2019-10072 Vulnerability in the Siebel Apps - Marketing product of Oracle Siebel CRM (component: Mktg/Campaign Mgmt (Apache Tomcat)). The supported version that is affected is 20.7. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Siebel Apps - Marketing. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Siebel Apps - Marketing. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory]

CVE-2020-11022 Vulnerability in the Siebel UI Framework product of Oracle Siebel CRM (component: UIF Open UI (jQuery)). The supported version that is affected is 20.8. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Siebel UI Framework. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Siebel UI Framework, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Siebel UI Framework accessible data as well as unauthorized read access to a subset of Siebel UI Framework accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). (legend) [Advisory]

Details

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.