View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
August 13, 2018updated 14 Aug 2018 10:00am

Critical Oracle Database Flaw Paves the Way for Complete System Hijack

The vulnerability has been issued with a severity rating of 9.9.

By CBR Staff Writer

Oracle has urged customers to update their Oracle Database Server builds without delay following the discovery of a critical security flaw.

The vulnerability, CVE-2018-3110, impacts Oracle Database Server versions 11.2.0.4, 12.1.0.2, 12.2.0.1 and 18 on Windows, Linux, and Unix operating systems.

Described as “easily exploitable” in a National Vulnerability Database (NVD) security advisory, the bug has been issued a CVSS base score of 9.9.

The problem lies in the Java VM component of a Oracle Database Server. An attacker with low privileges, including permission to Create Sessions and access an Oracle Net network, is able to compromise Java VM. The vulnerability cannot be exploited remotely.

While the vulnerability lies in Java VM, Oracle has warned that “attacks may significantly impact additional products.”

If exploited, Java VM can be completely hijacked, compromising not only the Oracle Database, but shell access to underlying servers. A problem which could cause severe damage and disruption to enterprise networks.

Patch Me Up

Patches for Linux and Unix builds were issued in Oracle’s July 2018 CPU patch update.

Content from our partners
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape
Green for go: Transforming trade in the UK

However, Windows users running Oracle Database versions 11.2.0.4 and 12.2.0.1 are asked to update their systems immediately. Yet, the fix does not apply to client-side installations.

Oracle have warned its customers that: “Due to the nature of this vulnerability, Oracle strongly recommends that customers take action without delay.”

Oracle has not reported any examples of the vulnerability being exploited in the wild.

In July, the tech giant resolved a total of 334 security vulnerabilities. The massive CPU addressed a total of 61 critical bugs impacting software including Fusion Middleware, MySQL, and Java, among others.

Remote code execution, privilege escalation, and denial-of-service vulnerabilities were resolved in the update.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU