US-CERT released a security alert on August 13th addressing a serious vulnerability in Oracle Database for both Windows and Unix/Linux. This is the second patch relating to CVE-2018-3110, so even if you heard about the Oracle patch in July, double-check your version! A new patch was released on August 10th for Windows for database versions 18.104.22.168 and 22.214.171.124.
Here’s the version breakdown:
- Version 126.96.36.199 is vulnerable and can be fixed with the July 2018 critical patch update.
- Versions 188.8.131.52 and 184.108.40.206 are vulnerable and can be fixed with the new August 10th patch.
- According to Oracle, all versions for Linux are vulnerable and can be fixed with the July 2018 critical patch update.
The exploit allows for total control and shell level access to the vulnerable database with little effort. It seems that a low privilege user account is required to perform the attack but remember that such accounts are more likely to be compromised in the first place. The CVE has a score of 9.9/10 and should be fixed as soon as possible.
The original security alert released by Oracle with links to patch information can be found here.
SecuLore Support Team