Oracle has urged customers to update their Oracle Database Server builds without delay following the discovery of a critical security flaw.
The vulnerability, CVE-2018-3110, impacts Oracle Database Server versions 11.2.0.4, 12.1.0.2, 12.2.0.1 and 18 on Windows, Linux, and Unix operating systems.
Described as “easily exploitable” in a National Vulnerability Database (NVD) security advisory, the bug has been issued a CVSS base score of 9.9.
The problem lies in the Java VM component of a Oracle Database Server. An attacker with low privileges, including permission to Create Sessions and access an Oracle Net network, is able to compromise Java VM. The vulnerability cannot be exploited remotely.
While the vulnerability lies in Java VM, Oracle has warned that “attacks may significantly impact additional products.”
If exploited, Java VM can be completely hijacked, compromising not only the Oracle Database, but shell access to underlying servers. A problem which could cause severe damage and disruption to enterprise networks.
Patch Me Up
Patches for Linux and Unix builds were issued in Oracle’s July 2018 CPU patch update.
However, Windows users running Oracle Database versions 11.2.0.4 and 12.2.0.1 are asked to update their systems immediately. Yet, the fix does not apply to client-side installations.
Oracle have warned its customers that: “Due to the nature of this vulnerability, Oracle strongly recommends that customers take action without delay.”
Oracle has not reported any examples of the vulnerability being exploited in the wild.
In July, the tech giant resolved a total of 334 security vulnerabilities. The massive CPU addressed a total of 61 critical bugs impacting software including Fusion Middleware, MySQL, and Java, among others.
Remote code execution, privilege escalation, and denial-of-service vulnerabilities were resolved in the update.