A Vulnerability in Oracle Database Could Allow for Complete Compromise

August 17, 2018


A vulnerability has been discovered in Oracle Database that could allow for complete compromise of the database, as well as shell access to the underlying server. [1] . The vulnerability resides in the Java Virtual Machine component of the Oracle Database Server and does not require user interaction. The vulnerability allows low-privileged attackers that have Create Session privilege with network access via Oracle Net to compromise the Java VM component.


The successful exploitation of this vulnerability could allow a remote, authenticated attacker to take complete control of the product and establish a shell access to the underlying server.


  • Oracle Database versions,, on Windows
  • Oracle Database versions 12.1.02 on Unix or Linux


  • Apply appropriate patches provided by Oracle to vulnerable systems immediately after appropriate testing.
  • Oracle Database versions and on Windows can be patched using the patches provided by the Oracle Security Alert. [1]
  • Oracle Database versions on Windows and Unix or Linux can be patched by applying the July 2018 Critical Patch Update. [3]


[1] http://www.oracle.com/technetwork/security-advisory/alert-cve-2018-3110-...
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-3110
[3] http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html