[BreachExchange] Critical vulnerability in Oracle Database, patch without delay!

[Destry Winant]

https://www.helpnetsecurity.com/2018/08/13/cve-2018-3110/

Oracle is urging users to patch their Oracle Database installations to
plug a critical security issue that can result in complete compromise
of the Oracle Database and shell access to the underlying server.

About the vulnerability (CVE-2018-3110)

The vulnerability (CVE-2018-3110) affects Oracle Database versions
11.2.0.4 and 12.2.0.1 on Windows and is apparently easy to exploit,
but can only be exploited remotely by an authenticated attacker.

The vulnerability is in the Java Virtual Machine component of Oracle
Database Server. It requires no user interaction and allows attackers
that have Create Session privilege with network access via Oracle Net
to compromise the component.

“CVE-2018-3110 also affects Oracle Database version 12.1.0.2 on
Windows as well as Oracle Database on Linux and Unix, however patches
for those versions and platforms were included in the July 2018 CPU,”
Oracle shared.

“Customers running Oracle Database versions 11.2.0.4 and 12.2.0.1 on
Windows should apply the patches provided by the Security Alert.
Customers running version 12.1.0.2 on Windows or any version of the
database on Linux or Unix should apply the July 2018 Critical Patch
Update if they have not already done so.”

The fix, offered late last Friday, is not applicable to client-only
installations, i.e., installations that do not have the Oracle
Database Server installed.

“Due to the nature of this vulnerability, Oracle strongly recommends
that customers take action without delay,” the company said, but did
not mention whether it is being exploited in the wild or how the flaw
was discovered.