This alert is originally published and can be viewed at cisecurity.org
OVERVIEW:
A vulnerability has been discovered in Oracle Database that could allow for complete compromise of the database, as well as shell access to the underlying server. Oracle Database is a multi-model database management system commonly used for running online transaction processing, data warehousing, and mixed database workloads. The vulnerability resides in the Java Virtual Machine component of the Oracle Database Server. The successful exploitation of this vulnerability could allow a remote, authenticated attacker to take complete control of the product and establish a shell access to the underlying server.
THREAT INTELLIGENCE:
There are currently no reports of this vulnerability being exploited in the wild, but Oracle strongly recommends that customers take action without delay.
SYSTEMS AFFECTED:
RISK:
Government:
Businesses:
Home Users: LOW
TECHNICAL SUMMARY:
A vulnerability has been discovered in Oracle Database that could allow for complete compromise of the database, as well as shell access to the underlying server. The vulnerability resides in the Java Virtual Machine component of the Oracle Database Server and does not require user interaction. The vulnerability allows low-privileged attackers that have Create Session privilege with network access via Oracle Net to compromise the Java VM component. The successful exploitation of this vulnerability could allow a remote, authenticated attacker to take complete control of the product and establish a shell access to the underlying server. Oracle Database versions 11.2.0.4 and 12.2.0.1 on Windows can be patched using the patches provided by the Oracle Security Alert. However, Oracle Database versions 12.1.0.2 on Windows and Unix or Linux can be patched by applying the July 2018 Critical Patch Update.
RECOMENDATIONS:
We recommend the following actions be taken:
REFERENCES:
Oracle:
http://www.oracle.com/technetwork/security-advisory/alert-cve-2018-3110-5032149.html
NIST:
https://pages.nist.gov/800-63-3/sp800-63b.html#appA
CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-3110
0 Comment Log in or register to post comments