ID CVE-2017-3486 Type cve Reporter cve@mitre.org Modified 2019-10-03T00:03:00
Description
Vulnerability in the SQLPlus component of Oracle Database Server. Supported versions that are affected are 11.2.0.4 and 12.1.0.2. Difficult to exploit vulnerability allows high privileged attacker having Local Logon privilege with logon to the infrastructure where SQLPlus executes to compromise SQLPlus. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in SQLPlus, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of SQL*Plus. Note: This score is for Windows platform version 11.2.0.4 of Database. For Windows platform version 12.1.0.2 and Linux, the score is 6.3 with scope Unchanged. CVSS 3.0 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H).
{"id": "CVE-2017-3486", "bulletinFamily": "NVD", "title": "CVE-2017-3486", "description": "Vulnerability in the SQL*Plus component of Oracle Database Server. Supported versions that are affected are 11.2.0.4 and 12.1.0.2. Difficult to exploit vulnerability allows high privileged attacker having Local Logon privilege with logon to the infrastructure where SQL*Plus executes to compromise SQL*Plus. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in SQL*Plus, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of SQL*Plus. Note: This score is for Windows platform version 11.2.0.4 of Database. For Windows platform version 12.1.0.2 and Linux, the score is 6.3 with scope Unchanged. CVSS 3.0 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H).", "published": "2017-04-24T19:59:00", "modified": "2019-10-03T00:03:00", "cvss": {"score": 3.7, "vector": "AV:L/AC:H/Au:N/C:P/I:P/A:P"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-3486", "reporter": "cve@mitre.org", "references": ["http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html", "http://www.securityfocus.com/bid/97870", "http://www.securitytracker.com/id/1038284"], "cvelist": ["CVE-2017-3486"], "type": "cve", "lastseen": "2019-10-04T12:19:08", "history": [{"bulletin": {"affectedSoftware": [{"name": "oracle sql_plus", "operator": "eq", "version": "12.1.0.2"}, {"name": "oracle sql_plus", "operator": "eq", "version": "11.2.0.4"}], "bulletinFamily": "NVD", "cpe": ["cpe:/a:oracle:sql_plus:11.2.0.4", "cpe:/a:oracle:sql_plus:12.1.0.2"], "cpe23": ["cpe:2.3:a:oracle:sql_plus:12.1.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:sql_plus:11.2.0.4:*:*:*:*:*:*:*"], "cvelist": ["CVE-2017-3486"], "cvss": {"score": 3.7, "vector": "AV:L/AC:H/Au:N/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"accessComplexity": "HIGH", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 3.7, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:H/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 1.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "LOW", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 0.6, "impactScore": 6.0}, "cwe": ["CWE-284"], "description": "Vulnerability in the SQL*Plus component of Oracle Database Server. Supported versions that are affected are 11.2.0.4 and 12.1.0.2. Difficult to exploit vulnerability allows high privileged attacker having Local Logon privilege with logon to the infrastructure where SQL*Plus executes to compromise SQL*Plus. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in SQL*Plus, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of SQL*Plus. Note: This score is for Windows platform version 11.2.0.4 of Database. For Windows platform version 12.1.0.2 and Linux, the score is 6.3 with scope Unchanged. CVSS 3.0 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H).", "edition": 1, "enchantments": {"dependencies": {"modified": "2019-05-29T18:16:59", "references": [{"idList": ["OPENVAS:1361412562310808703"], "type": "openvas"}, {"idList": ["ORACLE_RDBMS_CPU_APR_2017.NASL"], "type": "nessus"}, {"idList": ["ORACLE:CPUAPR2017-3236618"], "type": "oracle"}]}, "score": {"modified": "2019-05-29T18:16:59", "value": 5.2, "vector": "NONE"}}, "hash": "c05d6628d20d78d007396f1a50e60af00be169b3b2033abaad127490cc20a93a", "hashmap": [{"hash": "af3eb5ff2105df2d936f49f5314e2377", "key": "cvss2"}, {"hash": "a35a8c59f4a8900d97c63f2f2ccdb465", "key": "modified"}, {"hash": "5db4571344f31285921051b3e5a63779", "key": "cvss3"}, {"hash": "0321238310d2fd9efd8a493df0790456", "key": "cpe"}, {"hash": "8e9428a43556aa511c03c1209995c9eb", "key": "cpe23"}, {"hash": "bc495ad93d5bfea23450bb6db541fc42", "key": "title"}, {"hash": "4effc609a4a160b45b9de137578a09fb", "key": "published"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "a6a157426ce0c78f618cadd66d3e54f8", "key": "references"}, {"hash": "d4e700f0b6c3f62e18f082b92ede4fd8", "key": "affectedSoftware"}, {"hash": "b377eeb20a71d803a02343f297cff73a", "key": "cvss"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "41153935f462c2269c39a9f34d208917", "key": "description"}, {"hash": "bf65bed5ef164b420c3766cd1a3b85a5", "key": "cwe"}, {"hash": "9f2698b144d692775beb7ee6fac75b19", "key": "href"}, {"hash": "bafd72051c16690fd58a188b6dc78eab", "key": "cvelist"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-3486", "id": "CVE-2017-3486", "lastseen": "2019-05-29T18:16:59", "modified": "2017-07-11T01:33:00", "objectVersion": "1.3", "published": "2017-04-24T19:59:00", "references": ["http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html", "http://www.securityfocus.com/bid/97870", "http://www.securitytracker.com/id/1038284"], "reporter": "cve@mitre.org", "title": "CVE-2017-3486", "type": "cve", "viewCount": 0}, "differentElements": ["modified", "cwe"], "edition": 1, "lastseen": "2019-05-29T18:16:59"}], "edition": 2, "hashmap": [{"key": "affectedSoftware", "hash": "d4e700f0b6c3f62e18f082b92ede4fd8"}, {"key": "bulletinFamily", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "cpe", "hash": "0321238310d2fd9efd8a493df0790456"}, {"key": "cpe23", "hash": "8e9428a43556aa511c03c1209995c9eb"}, {"key": "cvelist", "hash": "bafd72051c16690fd58a188b6dc78eab"}, {"key": "cvss", "hash": "b377eeb20a71d803a02343f297cff73a"}, {"key": "cvss2", "hash": "af3eb5ff2105df2d936f49f5314e2377"}, {"key": "cvss3", "hash": "5db4571344f31285921051b3e5a63779"}, {"key": "cwe", "hash": "d370d473ba1bd1721d669ef98e2aeebb"}, {"key": "description", "hash": "41153935f462c2269c39a9f34d208917"}, {"key": "href", "hash": "9f2698b144d692775beb7ee6fac75b19"}, {"key": "modified", "hash": "1f0cc7832f07ee78350b613e89af69f8"}, {"key": "published", "hash": "4effc609a4a160b45b9de137578a09fb"}, {"key": "references", "hash": "a6a157426ce0c78f618cadd66d3e54f8"}, {"key": "reporter", "hash": "444c2b4dda4a55437faa8bef1a141e84"}, {"key": "title", "hash": "bc495ad93d5bfea23450bb6db541fc42"}, {"key": "type", "hash": "1716b5fcbb7121af74efdc153d0166c5"}], "hash": "95c1da746108d032fe312a514388eb74fedeb4152e517102bd9641669de8cf1e", "viewCount": 2, "enchantments": {"dependencies": {"references": [{"type": "nessus", "idList": ["ORACLE_RDBMS_CPU_APR_2017.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310808703"]}, {"type": "oracle", "idList": ["ORACLE:CPUAPR2017-3236618"]}], "modified": "2019-10-04T12:19:08"}, "score": {"value": 5.2, "vector": "NONE", "modified": "2019-10-04T12:19:08"}, "vulnersScore": 5.2}, "objectVersion": "1.3", "cpe": ["cpe:/a:oracle:sql_plus:11.2.0.4", "cpe:/a:oracle:sql_plus:12.1.0.2"], "affectedSoftware": [{"name": "oracle sql_plus", "operator": "eq", "version": "12.1.0.2"}, {"name": "oracle sql_plus", "operator": "eq", "version": "11.2.0.4"}], "cvss2": {"cvssV2": {"accessComplexity": "HIGH", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 3.7, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:H/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 1.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "LOW", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 0.6, "impactScore": 6.0}, "cpe23": ["cpe:2.3:a:oracle:sql_plus:12.1.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:sql_plus:11.2.0.4:*:*:*:*:*:*:*"], "cwe": ["NVD-CWE-noinfo"], "scheme": null}
{"nessus": [{"lastseen": "2019-12-13T08:40:43", "bulletinFamily": "scanner", "description": "The remote Oracle Database Server is missing the April 2017 Critical\nPatch Update (CPU). It is, therefore, affected by multiple\nvulnerabilities :\n\n - An unspecified flaw exists in the SQL*Plus component\n that allows a local attacker to impact confidentiality,\n integrity, and availability. (CVE-2017-3486)\n\n - An unspecified flaw exists in the OJVM component that\n allows an authenticated, remote attacker to cause a\n denial of service condition. (CVE-2017-3567)", "modified": "2019-12-02T00:00:00", "id": "ORACLE_RDBMS_CPU_APR_2017.NASL", "href": "https://www.tenable.com/plugins/nessus/99480", "published": "2017-04-19T00:00:00", "title": "Oracle Database Multiple Vulnerabilities (April 2017 CPU)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\nif (!defined_func(\"nasl_level\") || nasl_level() < 5000) exit(0, \"Nessus older than 5.x\");\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(99480);\n script_version(\"1.11\");\n script_cvs_date(\"Date: 2018/09/17 21:46:53\");\n\n script_cve_id(\n \"CVE-2017-3486\",\n \"CVE-2017-3567\"\n );\n script_bugtraq_id(\n 97870,\n 97873\n );\n\n script_name(english:\"Oracle Database Multiple Vulnerabilities (April 2017 CPU)\");\n script_summary(english:\"Checks installed patch info\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote database server is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Oracle Database Server is missing the April 2017 Critical\nPatch Update (CPU). It is, therefore, affected by multiple\nvulnerabilities :\n\n - An unspecified flaw exists in the SQL*Plus component\n that allows a local attacker to impact confidentiality,\n integrity, and availability. (CVE-2017-3486)\n\n - An unspecified flaw exists in the OJVM component that\n allows an authenticated, remote attacker to cause a\n denial of service condition. (CVE-2017-3567)\");\n # http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?623d2c22\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch according to the April 2017 Oracle\nCritical Patch Update advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"manual\");\n script_set_attribute(attribute:\"cvss_score_rationale\", value:\"score from a more in depth analysis done by Tenable\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\",value:\"2017/04/18\");\n script_set_attribute(attribute:\"patch_publication_date\",value:\"2017/04/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/04/19\");\n\n script_set_attribute(attribute:\"plugin_type\",value:\"local\");\n script_set_attribute(attribute:\"cpe\",value:\"cpe:/a:oracle:database_server\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Databases\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"oracle_rdbms_query_patch_info.nbin\", \"oracle_rdbms_patch_info.nbin\");\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"oracle_rdbms_cpu_func.inc\");\ninclude(\"misc_func.inc\");\n\npatches = make_nested_array();\n\n# RDBMS 12.1.0.2\npatches[\"12.1.0.2\"][\"db\"][\"nix\"] = make_array(\"patch_level\", \"12.1.0.2.170418\", \"CPU\", \"25171037, 25433352, 26022196\");\npatches[\"12.1.0.2\"][\"db\"][\"win\"] = make_array(\"patch_level\", \"12.1.0.2.170418\", \"CPU\", \"25632533, 25872779, 26161724\");\n# RDBMS 11.2.0.4 #\npatches[\"11.2.0.4\"][\"db\"][\"nix\"] = make_array(\"patch_level\", \"11.2.0.4.170418\", \"CPU\", \"25369547, 24732075, 25869727\");\npatches[\"11.2.0.4\"][\"db\"][\"win\"] = make_array(\"patch_level\", \"11.2.0.4.170418\", \"CPU\", \"25632525, 25874796\");\n\n# JVM 12.1.0.2\npatches[\"12.1.0.2\"][\"ojvm\"][\"nix\"] = make_array(\"patch_level\", \"12.1.0.2.170418\", \"CPU\", \"25437695, 26027162\");\npatches[\"12.1.0.2\"][\"ojvm\"][\"win\"] = make_array(\"patch_level\", \"12.1.0.2.170418\", \"CPU\", \"25590993\");\n# JVM 11.2.0.4\npatches[\"11.2.0.4\"][\"ojvm\"][\"nix\"] = make_array(\"patch_level\", \"11.2.0.4.170418\", \"CPU\", \"25434033, 26027154\");\npatches[\"11.2.0.4\"][\"ojvm\"][\"win\"] = make_array(\"patch_level\", \"11.2.0.4.170418\", \"CPU\", \"25590979\");\n\ncheck_oracle_database(patches:patches, high_risk:TRUE);\n", "cvss": {"score": 3.7, "vector": "AV:L/AC:H/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2019-05-29T18:35:15", "bulletinFamily": "scanner", "description": "This host is running Oracle Database Server\n and is prone multiple unspecified vulnerabilities.", "modified": "2018-11-21T00:00:00", "published": "2016-07-21T00:00:00", "id": "OPENVAS:1361412562310808703", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310808703", "title": "Oracle Database Server Unspecified Vulnerability -01 July16", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_oracle_db_unspecified_vuln01_july16.nasl 12455 2018-11-21 09:17:27Z cfischer $\n#\n# Oracle Database Server Unspecified Vulnerability -01 July16\n#\n# Authors:\n# Tushar Khelge <ktushar@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:oracle:database_server\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.808703\");\n script_version(\"$Revision: 12455 $\");\n script_cve_id(\"CVE-2016-3479\", \"CVE-2016-5555\", \"CVE-2016-5505\", \"CVE-2016-5498\",\n \"CVE-2016-5499\", \"CVE-2016-3562\", \"CVE-2017-3310\", \"CVE-2017-3486\",\n \"CVE-2016-2183\", \"CVE-2014-3566\", \"CVE-2017-10261\");\n script_bugtraq_id(91898, 93615, 93613, 93620, 93629, 93640, 95481, 92630, 70574, 101344);\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-21 10:17:27 +0100 (Wed, 21 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-07-21 18:47:32 +0530 (Thu, 21 Jul 2016)\");\n script_name(\"Oracle Database Server Unspecified Vulnerability -01 July16\");\n\n script_tag(name:\"summary\", value:\"This host is running Oracle Database Server\n and is prone multiple unspecified vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The multiple flaws are due to,\n\n - Multiple unspecified errors.\n\n - Multiple unspecified errors related to components 'DBMS_LDAP',\n 'Real Application Clusters' and 'XML Database' components.\");\n\n script_tag(name:\"impact\", value:\"Successfully exploitation will allow remote\n authenticated attackers to affect confidentiality, integrity, and availability\n via unknown vectors.\");\n\n script_tag(name:\"affected\", value:\"Oracle Database Server versions\n 11.2.0.4 and 12.1.0.2\");\n\n script_tag(name:\"solution\", value:\"Apply the patches from the referenced advisories.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_xref(name:\"URL\", value:\"http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html\");\n script_xref(name:\"URL\", value:\"http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html\");\n script_xref(name:\"URL\", value:\"http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html\");\n script_xref(name:\"URL\", value:\"http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html\");\n script_xref(name:\"URL\", value:\"http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html\");\n script_xref(name:\"URL\", value:\"http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html\");\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Databases\");\n script_dependencies(\"oracle_tnslsnr_version.nasl\");\n script_mandatory_keys(\"OracleDatabaseServer/installed\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\n\nif(!dbPort = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(!dbVer = get_app_version(cpe:CPE, port:dbPort)){\n exit(0);\n}\n\nif(version_is_equal(version:dbVer, test_version:\"11.2.0.4\") ||\n version_is_equal(version:dbVer, test_version:\"12.1.0.2\"))\n{\n report = report_fixed_ver(installed_version:dbVer, fixed_version:\"Apply the appropriate patch\");\n security_message(data:report, port:dbPort);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "oracle": [{"lastseen": "2019-05-29T18:21:19", "bulletinFamily": "software", "description": "A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\n[Critical Patch Updates and Security Alerts](<http://www.oracle.com/technetwork/topics/security/alerts-086861.html>) for information about Oracle Security Advisories.\n\n**Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore _strongly_ recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes _without_ delay.**\n\nThis Critical Patch Update contains 300 new security fixes across the product families listed below. Please note that a MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at [April 2017 Critical Patch Update: Executive Summary and Analysis](<https://support.oracle.com/rs?type=doc&id=2252203.1>).\n\nPlease note that the vulnerabilities in this Critical Patch Update are scored using version 3.0 of Common Vulnerability Scoring Standard (CVSS).\n\nThis Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available [here](<http://www.oracle.com/technetwork/topics/security/cpufaq-098434.html#CVRF>).\n", "modified": "2017-06-20T00:00:00", "published": "2017-04-18T00:00:00", "id": "ORACLE:CPUAPR2017-3236618", "href": "", "title": "Oracle Critical Patch Update - April 2017", "type": "oracle", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}