My Oracle Support Banner

Oracle Critical Patch Update (CPU) April 2021 for Core Siebel CRM (Doc ID 2765862.1)

Last updated on APRIL 23, 2021

Applies to:

Support Tools > My Oracle Support > My Oracle Support
Information in this document applies to any platform.

Purpose

Oracle provides Critical Patch Updates (CPU) to its customers to fix security vulnerabilities. This document defines and identifies the Core Siebel CRM patches and minimum releases that are required for the Oracle products to address the security vulnerabilities announced in the Advisory for April 2021.

Scope

April 2021 Critical Patch Update for Siebel Core CRM applications contains patches for the following security issues:

CVE-2020-14195 Vulnerability in the Siebel UI Framework product of Oracle Siebel CRM (component: EAI (jackson-databind)). Supported versions that are affected are 21.2 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Siebel UI Framework. Successful attacks of this vulnerability can result in takeover of Siebel UI Framework. CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory]

CVE-2020-5398 Vulnerability in the Siebel Engineering - Installer and Deployment product of Oracle Siebel CRM (component: Siebel Approval Manager (Spring Framework)). Supported versions that are affected are 21.1 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Siebel Engineering - Installer and Deployment. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Siebel Engineering - Installer and Deployment. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H). (legend) [Advisory]

CVE-2019-0227 Vulnerability in the Siebel UI Framework product of Oracle Siebel CRM (component: SWSE Server (Apache Axis)). Supported versions that are affected are 21.0 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with access to the physical communication segment attached to the hardware where the Siebel UI Framework executes to compromise Siebel UI Framework. Successful attacks of this vulnerability can result in takeover of Siebel UI Framework. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory]

CVE-2019-10080 Vulnerability in the Siebel UI Framework product of Oracle Siebel CRM (component: EAI (Jersey)). Supported versions that are affected are 21.2 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Siebel UI Framework. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Siebel UI Framework accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory]

CVE-2020-9281 Vulnerability in the Siebel Apps - Customer Order Management product of Oracle Siebel CRM (component: Customizable Prod/Configurator (CKEditor)). Supported versions that are affected are 21.0 and prior. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Siebel Apps - Customer Order Management. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Siebel Apps - Customer Order Management, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Siebel Apps - Customer Order Management accessible data as well as unauthorized read access to a subset of Siebel Apps - Customer Order Management accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). (legend) [Advisory]

CVE-2016-7103 Vulnerability in the Siebel UI Framework product of Oracle Siebel CRM (component: UIF Open UI (jQuery UI)). Supported versions that are affected are 21.2 and prior. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Siebel UI Framework. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Siebel UI Framework, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Siebel UI Framework accessible data as well as unauthorized read access to a subset of Siebel UI Framework accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). (legend) [Advisory]

CVE-2019-11358 Vulnerability in the Siebel UI Framework product of Oracle Siebel CRM (component: UIF Open UI (jQuery)). Supported versions that are affected are 21.2 and prior. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Siebel UI Framework. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Siebel UI Framework, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Siebel UI Framework accessible data as well as unauthorized read access to a subset of Siebel UI Framework accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). (legend) [Advisory]

CVE-2020-9488 Vulnerability in the Siebel UI Framework product of Oracle Siebel CRM (component: EAI (Apache Log4j)). Supported versions that are affected are 21.2 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Siebel UI Framework. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Siebel UI Framework accessible data. CVSS 3.1 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N). (legend) [Advisory]

 

Details

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.