A Vulnerability in Oracle Database Could Allow for Complete Compromise

ITS Advisory Number: 
2018-082
Date(s) Issued: 
Monday, August 13, 2018
Subject: 
A Vulnerability in Oracle Database Could Allow for Complete Compromise
Overview: 

A vulnerability has been discovered in Oracle Database that could allow for complete compromise of the database, as well as shell access to the underlying server. Oracle Database is a multi-model database management system commonly used for running online transaction processing, data warehousing, and mixed database workloads. The vulnerability resides in the Java Virtual Machine component of the Oracle Database Server. The successful exploitation of this vulnerability could allow a remote, authenticated attacker to take complete control of the product and establish a shell access to the underlying server.

 

THREAT INTELLIGENCE:

There are currently no reports of this vulnerability being exploited in the wild, but Oracle strongly recommends that customers take action without delay.

Systems Affected: 
  • Oracle Database versions 11.2.0.4, 12.2.0.1, 12.1.0.2 on Windows

  • Oracle Database versions 12.1.0.2 on Unix or Linux

RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
Low
Description: 

A vulnerability has been discovered in Oracle Database that could allow for complete compromise of the database, as well as shell access to the underlying server. The vulnerability resides in the Java Virtual Machine component of the Oracle Database Server and does not require user interaction. The vulnerability allows low-privileged attackers that have Create Session privilege with network access via Oracle Net to compromise the Java VM component. The successful exploitation of this vulnerability could allow a remote, authenticated attacker to take complete control of the product and establish a shell access to the underlying server. Oracle Database versions 11.2.0.4 and 12.2.0.1 on Windows can be patched using the patches provided by the Oracle Security Alert. However, Oracle Database versions 12.1.0.2 on Windows and Unix or Linux can be patched by applying the July 2018 Critical Patch Update.  

Actions: 
  • After appropriate testing, immediately apply patches provided by Oracle to vulnerable systems.

  • Enforce password complexity, using NIST Special Publication 800-63B, Appendix A as a reference.