US-CERT released a security alert on August 13th addressing a serious vulnerability in Oracle Database for both Windows and Unix/Linux. This is the second patch relating to CVE-2018-3110, so even if you heard about the Oracle patch in July, double-check your version! A new patch was released on August 10th for Windows for database versions 11.2.0.4 and 12.2.0.1.
Here’s the version breakdown:
- Windows:
- Version 12.1.0.2 is vulnerable and can be fixed with the July 2018 critical patch update.
- Versions 11.2.0.4 and 12.2.0.1 are vulnerable and can be fixed with the new August 10th patch.
- Unix/Linux:
- According to Oracle, all versions for Linux are vulnerable and can be fixed with the July 2018 critical patch update.
The exploit allows for total control and shell level access to the vulnerable database with little effort. It seems that a low privilege user account is required to perform the attack but remember that such accounts are more likely to be compromised in the first place. The CVE has a score of 9.9/10 and should be fixed as soon as possible.
The original security alert released by Oracle with links to patch information can be found here.
Stay cyber-safe,
Other Alerts
Cyber-Protecting Our Nation’s Critical Infrastructure
At SecuLore, our mission is to cyber-protect our nation’s critical infrastructure. Led by experts in 9-1-1 technology, cyberwarfare, and ethical hacking, our team provides the technology, expertise, and training needed to defend customers from increasingly sophisticated cyber threats.