A vulnerability has been discovered in Oracle Database that could allow for complete compromise of the database, as well as shell access to the underlying server.  . The vulnerability resides in the Java Virtual Machine component of the Oracle Database Server and does not require user interaction. The vulnerability allows low-privileged attackers that have Create Session privilege with network access via Oracle Net to compromise the Java VM component.
The successful exploitation of this vulnerability could allow a remote, authenticated attacker to take complete control of the product and establish a shell access to the underlying server.
- Oracle Database versions 18.104.22.168, 22.214.171.124, 126.96.36.199 on Windows
- Oracle Database versions 12.1.02 on Unix or Linux
- Apply appropriate patches provided by Oracle to vulnerable systems immediately after appropriate testing.
- Oracle Database versions 188.8.131.52 and 184.108.40.206 on Windows can be patched using the patches provided by the Oracle Security Alert. 
- Oracle Database versions 220.127.116.11 on Windows and Unix or Linux can be patched by applying the July 2018 Critical Patch Update.