Oracle is warning customers about a critical vulnerability in its database product and urging users to update immediately
Oracle is warning customers about a critical vulnerability in Oracle database product and urging users to update immediately. The vulnerability tracked as CVE-2018-3110 has a CVSS score of 9.9 and affects Oracle Database version 11.2.0.4, 12.2.0.1, 12.1.0.2 on Windows and 12.1.0.2 running on Unix or Linux. The flaw resides in the Java VM component of Oracle Database Server which can be exploited by an attacker to gain complete control of the product and shell access to the underlying server. “Vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected are 11.2.0.4, 12.1.0.2, 12.2.0.1 and 18. Easily exploitable vulnerability allows low privileged attacker having Create Session privilege with network access via Oracle Net to compromise Java VM. While the vulnerability is in Java VM, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java VM.” said Oracle in the advisory published. The patches for this vulnerability have been already released in the Oracle July 2018 CPU. Oracle has advised all the customers to apply the patches as soon as possible. Due to the nature of this vulnerability, Oracle recommends that customers apply these patches as soon as possible. This means that:
- Customers running Oracle Database versions 11.2.0.4 and 12.2.0.1 on Windows should apply the patches provided by the Security Alert.
- Customers running version 12.1.0.2 on Windows or any version of the database on Linux or Unix should apply the July 2018 Critical Patch Update if they have not already done so.
You may be interested in reading: Researchers Discovered Critical Flaws in Leading mPOS Devices