Oracle releases patch for 'critical' database vulnerability
CVE-2018-3110 is easy to exploit with possibly severe consequences
Oracle has issued a security alert over a critical vulnerability that affects versions of its enterprise database.
The vulnerability, labelled CVE-2018-3110, affects Oracle Database versions 11.2.0.4, 12.1.0.2 and 12.2.0.1 running on Windows, Unix and Linux. However, a patch for 12.1.0.2 on Windows and for the versions running on Unix and Linux were released in July. Therefore, it is likely to be users of 11.2.0.4 and 12.2.0.1 running on Windows who will need to act with the greatest urgency.
According to Oracle: "CVE-2018-3110 has a CVSS v3 base score of 9.9, and can result in complete compromise of the Oracle Database and shell access to the underlying server."
The Common Vulnerability Scoring System (CVSS) is a measure of the severity of a vulnerability, giving it a number on a scale of 0 to 10. The ‘base' metric takes into consideration the ease of attack, privileges required and complexity as well as the likely impact of a successful attack. A base score of 9.9 out of 10 puts CVE-2018-3110 at the top end of the 'critical' band, being very easy to exploit and potentially highly damaging in the event of a successful breach.
The vulnerability occurs in the Java VM component of Oracle Database Server. It allows a low privileged attacker to gain Create Session privileges with network access via Oracle Net from which it is possible to compromise the Java VM.
"Due to the nature of this vulnerability, Oracle strongly recommends that customers take action without delay," the company says.
The patch was made available on Friday. It only applies to Oracle Database Server installations, not client-only setups.
It is not known whether the vulnerability has been exploited in the wild, and the identity of its discoverer has not been made public.
It has been a busy year for Oracle sysadmins. In January, the company released a batch of 237 patches fixing 153 vulnerabilities in mission-critical applications