A Vulnerability in Oracle Database Could Allow for Complete Compromise

A Vulnerability in Oracle Database Could Allow for Complete Compromise

MS-ISAC ADVISORY NUMBER:

2018-089

DATE(S) ISSUED:

08/13/2018

OVERVIEW:

A vulnerability has been discovered in Oracle Database that could allow for complete compromise of the database, as well as shell access to the underlying server. Oracle Database is a multi-model database management system commonly used for running online transaction processing, data warehousing, and mixed database workloads. The vulnerability resides in the Java Virtual Machine component of the Oracle Database Server. The successful exploitation of this vulnerability could allow a remote, authenticated attacker to take complete control of the product and establish a shell access to the underlying server.

THREAT INTELLIGENCE:

There are currently no reports of this vulnerability being exploited in the wild, but Oracle strongly recommends that customers take action without delay.

SYSTEMS AFFECTED:

  • Oracle Database versions 11.2.0.4, 12.2.0.1, 12.1.0.2 on Windows

  • Oracle Database versions 12.1.0.2 on Unix or Linux

RISK:

Government:

  • Large and medium government entities: HIGH

  • Small government entities: HIGH

Businesses:

  • Large and medium business entities: HIGH

  • Small business entities: HIGH

Home Users:

LOW

TECHNICAL SUMMARY:

A vulnerability has been discovered in Oracle Database that could allow for complete compromise of the database, as well as shell access to the underlying server. The vulnerability resides in the Java Virtual Machine component of the Oracle Database Server and does not require user interaction. The vulnerability allows low-privileged attackers that have Create Session privilege with network access via Oracle Net to compromise the Java VM component. The successful exploitation of this vulnerability could allow a remote, authenticated attacker to take complete control of the product and establish a shell access to the underlying server. Oracle Database versions 11.2.0.4 and 12.2.0.1 on Windows can be patched using the patches provided by the Oracle Security Alert. However, Oracle Database versions 12.1.0.2 on Windows and Unix or Linux can be patched by applying the July 2018 Critical Patch Update.

RECOMENDATIONS:

We recommend the following actions be taken:

  • Apply appropriate patches provided by Oracle to vulnerable systems immediately after appropriate testing.

  • Enforce password complexity, using NIST Special Publication 800-63B, Appendix A as a reference.

REFERENCES:

Oracle:

http://www.oracle.com/technetwork/security-advisory/alert-cve-2018-3110-5032149.html

NIST:

https://pages.nist.gov/800-63-3/sp800-63b.html#appA

CVE:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-3110

More information
https://www.cisecurity.org/advisory/a-vulnerability-in-oracle-database-could-al…