X
Business

​Oracle Database on Windows: Patch this flaw now, we fixed it on Linux in July

Oracle warns customers to patch a remotely exploitable flaw affecting Oracle Database on Windows servers.
Written by Liam Tung, Contributing Writer

Database giant Oracle has released a fix for a severe bug in Oracle Database Server on Windows.

The Oracle Database Server bug, tagged with the identifier CVE-2018-3110, is about as severe as is possible because it can not only give an attacker "complete control" over the vulnerable 11g, 12c, and new 18c database, but also provides shell access to the Windows server it is running on top of.

The bug, which stems from a Java virtual-machine component of the database, has a CVSS v3 base score of 9.9 out of 10.

Vulnerable versions include Oracle Database versions 11.2.0.4 and 12.2.0.1 on Windows. It also affects version 12.1.0.2 on Windows, Linux, and Unix servers, however the latter two were patched in Oracle's planned July update, according to Oracle.

Admins responsible for Oracle Database versions 11.2.0.4 and 12.2.0.1 on Windows need to apply the patches in the advisory for CVE-2018-3110, while anyone running 12.1.0.2 on Windows -- as well as any version of the database on Linux or Unix that did not apply the July updates -- should apply the updates available here.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

"Due to the nature of this vulnerability, Oracle strongly recommends that customers take action without delay."

The flaw can be explored remotely, however an attacker would need to possess valid user credentials.

The bug is easily exploitable and "allows low privileged attacker having Create Session privilege with network access via Oracle Net to compromise Java VM", Oracle explains in support notes.

"While the vulnerability is in Java VM, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java VM,"

Oracle did alert customers to the Database Server on Windows issue before this week's Patch Tuesday from Microsoft, which contained Windows kernel and OS fixes for the just disclosed Foreshadow speculative execution side channel attacks affecting Intel Core and Xeon CPU.

Foreshadow didn't impact Oracle's SPARC or Oracle Intel x86 servers, Oracle did release Foreshadow patches for its Oracle Linux OS, Solaris and VM Server for X86 products.

PREVIOUS AND RELATED COVERAGE

Oracle Solaris patch theft lands IT-support CEO in jail for two years

Oracle is happy that Terix's CEO is being jailed and fined $100,000.

Oracle critical update fixes 254 flaws - so get patching now

Fixes for vulnerabilities spread across 20 products and a Solaris patch that addresses the Spectre processor flaw.

Google Cloud adds support for Nvidia's Tesla P4 GPU

The compute accelerator is optimized for graphics-intensive applications and machine learning inference.

Gartner reveals one big reason Oracle's cloud hasn't caught on (TechRepublic)

Oracle is its own worst enemy when it comes to its cloud ambitions.

Google Next 2018: A deeper dive on AI and machine learning advances

Google Cloud announcements bring deep learning and big data analytics beyond data scientists, but enterprises will want more.

Microsoft Surface Go (CNET)

The new Microsoft Surface Go is the perfect size for casual coffee-shop computing, but getting the full experience quickly drives up the price.

Editorial standards