Another day, another vulnerability that needs to be patched as soon as possible. Oracle has informed of a security flaw that affects Oracle Database versions 126.96.36.199 and 188.8.131.52 running on Windows.
Technical Details about CVE-2018-3110
The vulnerability, which is given the CVE-2018-3110 identifier, is trivial to exploit but under the condition of a remote, authenticated attacker. It also doesn’t require user interaction.
A successful exploit may result in complete compromise of the Oracle Database and shell access to the underlying server. CVE-2018-3110 also affects Oracle Database version 184.108.40.206 on Windows as well as Oracle Database on Linux and Unix, however patches for those versions and platforms were included in the July 2018 CPU, the company noted in the underlying advisory.
The CVE-2018-3110 vulnerability resides in the Java Virtual Machine component of Oracle Database Server. If exploited, the vulnerability would allow hackers that have Create Session privilege with network access via Oracle Net to compromise the component.
How to Apply Patches for CVE-2018-3110
As explained by Oracle, “CVE-2018-3110 also affects Oracle Database version 220.127.116.11 on Windows as well as Oracle Database on Linux and Unix, however patches for those versions and platforms were included in the July 2018 CPU”.
In addition, customers running Oracle Database versions 18.104.22.168 and 22.214.171.124 on Windows should apply the patches provided by the Security Alert. As for customers running version 126.96.36.199 on Windows or any version of the database on Linux or Unix, they should apply the July 2018 Critical Patch Update.
It should be noted that the patch is not applicable to client-only installations, such as installations that don’t have the Oracle Database Server installed. The company also advises that the vulnerability should be mitigated “without delay”. It is also not known whether the vulnerability is currently exploited in the wild.
In April 2017, the software company released a security advisory that documented a staggering number of 299 security flaws in most of its products, Oracle Database Server inclusive, as well as Fusion Middleware, Enterprise Manager Base platform, PeopleSoft Enterprise, Java.The flaws in these services could be exploited remotely via HTTP which could lead to the complete hijacking of the vulnerable systems.