www.belgium.be Logo of the federal government

Critical Vulnerability was discovered in the Java VM component of Oracle Database Server

Reference: 
Advisory #2018-023
Version: 
1.0
Affected software: 
Oracle Database Server version: 11.2.0.4, 12.1.0.2, 12.2.0.1, and 18.
Type: 
User privilege escalation to session privilegesObtention de privilèges supplémentaires
CVE/CVSS: 

CVE: CVE-2018-3310
CVSS: 9.9

Date: 
14/08/2018

Sources

http://www.oracle.com/technetwork/security-advisory/alert-cve-2018-3110-...
https://www.security-database.com/detail.php?alert=CVE-2018-3110
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

Risks

Successful exploitation of this vulnerability can result in privilege escalation to session privileges. The attacker requires network access and low privileged credentials to compromise the Java Virtual machine, this can impact additional products relying on the Java Virtual Machine.

Description

A vulnerability was discovered in the Java VM component of Oracle Database Server. Supported versions that are affected are 11.2.0.4, 12.1.0.2, 12.2.0.1 and 18. This easily exploitable vulnerability allows an attacker with low privilege credentials who has access to the network upgrade the current privileges to session privileges via the Oracle Net protocol to compromise the Java Virtual Machine. Successful attacks of this vulnerability can result in a takeover of Java Virtual Machine and products relying on the Java Virtual Machine.

Recommended Actions

CERT.be recommends users to always keep their systems up to date. Patches can be downloaded at the following address: http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html