16 Aug Urgently patch your Oracle database or get held hostage (CVE-2018-3110)!
Oracle just released a security alert and is urging users to patch their oracle database installations to plug a critical security issue (this one even got CVSS score 9.9/10, which is really high and shows the importance to patch). The vulnerability can result in a complete compromise of the Oracle Database and shell access to the underlying server. The vulnerability is named “CVE-2018-3110”. But what exactly is the problem and what can you do about it?
The vulnerability affects Oracle Database versions 22.214.171.124 and 126.96.36.199 on Windows and is apparently easy to exploit remotely by an authenticated attacker. The vulnerability is in the Java Virtual Machine (JVM) component of Oracle Database Server. It does not require user interaction and allows attackers, that have received the Create Session privilege with network access via Oracle Net to compromise the component. And even more: an attacker can exploit the vulnerability to attack other technologies as well.
The vulnerability also affects Oracle version 188.8.131.52 and version 18 (which was 184.108.40.206) on Windows. Patches for those versions were included in the July 2018 Critical Patch Update (CPU) and so no separate patch on top of the CPU should be installed. The same counts for versions 220.127.116.11, 18.104.22.168, 22.214.171.124 and 18 on Linux and Unix.
The only way to permanently fix the issue is by patching your environment. But what patch should you apply in which situation?
- Customers running Oracle Database versions 126.96.36.199 or 188.8.131.52 on Windows should apply the patches provided by oracle
- Customers running versions 184.108.40.206 or 18 on windows should apply the July 2018 Critical Patch Update
- Customers running versions 220.127.116.11, 18.104.22.168, 22.214.171.124 or 18 on Linux/Unix should also apply the July 2018 Critical Patch Update
As you can see the risk is very high in this vulnerability, so patching is strongly advised. However, also note that the vulnerability can only be used when someone already received access to the database. This shows the importance of having a good security setup of your database environment. Monin can always help to perform an Oracle Database Security Assessment to make sure your database environment follows the security best practices. For more information, check out our Database Assessments.
Do you still have questions about this important vulnerability? Need some help with the installation of the patches? Not sure if you will need to install any patches on your database environment? Just ask us for more information or help about this vulnerability and the solutions.
Some interesting links:
- More information about this vulnerability from the Oracle website: http://www.oracle.com/technetwork/security-advisory/alert-cve-2018-3110-5032149.html
- More information about the quarterly release Critical Patch Updates: https://www.oracle.com/technetwork/topics/security/alerts-086861.html