US-CERT released a security alert on August 13th addressing a serious vulnerability in Oracle Database for both Windows and Unix/Linux. This is the second patch relating to CVE-2018-3110, so even if you heard about the Oracle patch in July, double-check your version! A new patch was released on August 10th for Windows for database versions 11.2.0.4 and 12.2.0.1.
Here’s the version breakdown:
- Windows:
- Version 12.1.0.2 is vulnerable and can be fixed with the July 2018 critical patch update.
- Versions 11.2.0.4 and 12.2.0.1 are vulnerable and can be fixed with the new August 10th patch.
- Unix/Linux:
- According to Oracle, all versions for Linux are vulnerable and can be fixed with the July 2018 critical patch update.
The exploit allows for total control and shell level access to the vulnerable database with little effort. It seems that a low privilege user account is required to perform the attack but remember that such accounts are more likely to be compromised in the first place. The CVE has a score of 9.9/10 and should be fixed as soon as possible.
The original security alert released by Oracle with links to patch information can be found here.
Stay cyber-safe,
Other Alerts
Cybersecurity for Critical Infrastructure
SecuLore provides Managed Detection and Response (MDR) to protect our nation’s critical infrastructure from cyber threats. Our expertise is built on deep knowledge of 9-1-1 technology, cyberwarfare, and ethical hacking, ensuring the highest level of cybersecurity for public safety agencies.