A Vulnerability in Oracle Database Could Allow for Complete Compromise

August 17, 2018

Summary

A vulnerability has been discovered in Oracle Database that could allow for complete compromise of the database, as well as shell access to the underlying server. [1] . The vulnerability resides in the Java Virtual Machine component of the Oracle Database Server and does not require user interaction. The vulnerability allows low-privileged attackers that have Create Session privilege with network access via Oracle Net to compromise the Java VM component.

Impact

The successful exploitation of this vulnerability could allow a remote, authenticated attacker to take complete control of the product and establish a shell access to the underlying server.

Vulnerable

  • Oracle Database versions 11.2.0.4, 12.2.0.1, 12.1.0.2 on Windows
  • Oracle Database versions 12.1.02 on Unix or Linux

Recommendations

  • Apply appropriate patches provided by Oracle to vulnerable systems immediately after appropriate testing.
  • Oracle Database versions 11.2.0.4 and 12.2.0.1 on Windows can be patched using the patches provided by the Oracle Security Alert. [1]
  • Oracle Database versions 12.1.0.2 on Windows and Unix or Linux can be patched by applying the July 2018 Critical Patch Update. [3]

References

[1] http://www.oracle.com/technetwork/security-advisory/alert-cve-2018-3110-...
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-3110
[3] http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html