Security

Vulnerability in Java VM Component of Oracle Database allows for Whole System Compromise

Oracle has sent out a severe grade warning to all of its users to instantly update their systems to the latest versions released. There exists a security vulnerability in the Java VM component of Oracle’s database server which could be exploited to compromise and cause a wholesome takeover of Java VM.

According to the details published on the vulnerability dubbed CVE-2018-3110, the flaw affects versions 11.2.0.4 and 12.2.0.1 of the Oracle database on Windows. It affects versions 12.1.0.2 on Windows and Linux / Unix devices. Users who find themselves using these versions without having applied the July 2018 CPU should immediately upgrade their systems.

The vulnerability is regarded as easily exploitable allowing a low privileged attacker to compromise the Java VM with Create Session permissions and network access through Oracle Net. It makes sense that this easily exploitable and high risk vulnerability has received a CVSSS 3.0 base score of 9.9 as Oracle reaches out to all of its customers to urgently ask of them to upgrade their systems. The vulnerability impacts confidentiality, integrity, and availability.

Users should note that the updates released by Oracle for these vulnerabilities in its affected products are only limited to those product versions that are covered under the Premier Support of the Extended Support phases of the Lifetime Support Policy. Older versions of the products in question are also thought to be potentially vulnerable to the same kind of system compromise. Users still working with older versions of the Oracle Database should upgrade their systems immediately as well.

According to the risk matrix published by Oracle on this vulnerability, the exploit is not possible remotely without authorization. It is a relatively less complex attack and its impacts on confidentiality, integrity, and availability are high. The attack vector for the exploit is Network and the only package or privilege required is Create Session.


Leave a Reply

Your email address will not be published.

Close