My Oracle Support Banner

Oracle Critical Patch Update (CPU) July 2021 for Siebel Core CRM (Doc ID 2787995.1)

Last updated on JULY 20, 2021

Applies to:

Support Tools > My Oracle Support > My Oracle Support
Information in this document applies to any platform.

Purpose

Oracle provides Critical Patch Updates (CPU) to its customers to fix security vulnerabilities. This document defines and identifies the Siebel Core CRM patches and minimum releases that are required for the Oracle products to address the security vulnerabilities announced in the Advisory for July 2021.

Scope

July 2019 Critical Patch Update for Siebel Core CRM applications contains patches for the following security issues:

CVE-2020-24750 Vulnerability in the Siebel Core - Server Framework product of Oracle Siebel CRM (component: Services (jackson-databind)). Supported versions that are affected are 21.5 and Prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Siebel Core - Server Framework. Successful attacks of this vulnerability can result in takeover of Siebel Core - Server Framework. CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory]

CVE-2020-27216 Vulnerability in the Siebel Core - Automation product of Oracle Siebel CRM (component: Test Automation (Eclipse Jetty)). Supported versions that are affected are 21.5 and Prior. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Siebel Core - Automation executes to compromise Siebel Core - Automation. Successful attacks of this vulnerability can result in takeover of Siebel Core - Automation. CVSS 3.1 Base Score 7.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory]

CVE-2017-5637 Vulnerability in the Siebel Core - Server Framework product of Oracle Siebel CRM (component: Cloud Gateway (Zookeeper)). Supported versions that are affected are 21.5 and Prior. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Siebel Core - Server Framework. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Siebel Core - Server Framework. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory]

CVE-2020-1967 Vulnerability in the Siebel Core - Server Framework product of Oracle Siebel CRM (component: Services (OpenSSL)). Supported versions that are affected are 21.5 and Prior. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Siebel Core - Server Framework. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Siebel Core - Server Framework. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory]
CVE-2021-2338 Vulnerability in the Siebel Apps - Marketing product of Oracle Siebel CRM (component: Email Marketing Stand-Alone). Supported versions that are affected are 21.5 and Prior. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Siebel Apps - Marketing. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Siebel Apps - Marketing, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Siebel Apps - Marketing accessible data as well as unauthorized read access to a subset of Siebel Apps - Marketing accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). (legend) [Advisory]

CVE-2021-2368 Vulnerability in the Siebel CRM product of Oracle Siebel CRM (component: Siebel Core - Server Infrastructure). Supported versions that are affected are 21.5 and Prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Siebel CRM. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Siebel CRM accessible data. CVSS 3.1 Base Score 5.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory]

CVE-2021-2353 Vulnerability in the Siebel Core - Server Framework product of Oracle Siebel CRM (component: Loging). Supported versions that are affected are 21.5 and Prior. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Siebel Core - Server Framework executes to compromise Siebel Core - Server Framework. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Siebel Core - Server Framework accessible data. CVSS 3.1 Base Score 4.4 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory]

Details

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.