Update Oracle Database for critical vulnerability
8/14/18 Update: Version 18 of Oracle Database is also affected by this vulnerability. If you are running version 18 on any operating system and have not yet applied the July 2018 CPU, do so now; that CPU addresses the vulnerability.
8/13/18: The information below was sent to U-M IT staff groups via email on August 13, 2018. It is intended for U-M IT staff who are responsible for university servers (on premise or in the cloud) running Oracle Database.
Summary
A critical vulnerability has been discovered in Oracle Database that could allow for complete compromise of the database, as well as shell access to the underlying server. Successful exploitation of this vulnerability could allow a remote, authenticated attacker to take complete control of the product and establish shell access to the underlying server.
Problem
The Oracle Java Virtual Machine (JVM) component of Oracle Database has a critical vulnerability that allows an authenticated user to access the entire Oracle database and gain shell-level access to the underlying server.
Threats
There are currently no reports of this vulnerability being exploited in the wild, but Oracle strongly recommends that customers take action without delay. The complexity of exploitation is low.
Affected Versions
- Oracle Database versions 11.2.0.4, 12.2.0.1, 12.1.0.2 on Windows
- Oracle Database versions 12.1.0.2 on Unix or Linux
Action Items
Update Oracle Database or disable Oracle JVM as soon as possible. We recommend you do both if possible and appropriate for your environment.
- Update Oracle Database on Windows, Unix, or Linux to the latest version provided by Oracle immediately after appropriate testing. See Oracle Security Alert Advisory - CVE-2018-3110 for details.
- Versions 11.2.0.4 and 12.2.0.1 on Windows. Apply the patches provided by Oracle.
- Version 12.1.0.2 on Windows or any version of the database on Linux or Unix. If you have not yet applied the July 2018 CPU, do so now; that CPU addresses the vulnerability.
- Disable the Oracle JVM if it is not required in your environment. Disabling it will mitigate the attack vector for this vulnerability, and the Oracle JVM is not required in many environments.
In addition, Oracle recommends that those running Oracle Database enforce password complexity (see NIST Special Publication 800-63B, Appendix A).
Technical Details
The vulnerability resides in the Java Virtual Machine component of the Oracle Database Server and does not require user interaction. It allows low-privileged attackers that have Create Session privilege with network access via Oracle Net to compromise the Java VM component. The successful exploitation of this vulnerability could allow a remote, authenticated attacker to take complete control of the product and establish shell access to the underlying server. The vulnerability is easy to exploit but cannot be exploited remotely unless the attacker is authenticated.
How We Protect U-M
In addition to notifying U-M IT staff through this notice and outreach to other stakeholders:
- Information Assurance is scanning campus networks for vulnerable hosts so we can work directly with the owners of those hosts to ensure they are patched.
- Information and Technology Services (ITS) Database Administration has already begun to apply the Oracle patches and disable Oracle JVM where it is not necessary.
Information for Users
Oracle Database is typically installed and maintained by IT staff. General computer users do not need to do anything to address this vulnerability.
References
- Oracle Security Alert Advisory - CVE-2018-3110 (Oracle)
- Oracle Critical Patch Update Advisory - July 2018 (Oracle)
- A Vulnerability in Oracle Database Could Allow for Complete Compromise (Center for Internet Security, 8/13/18)
- Critical vulnerability in Oracle Database, patch without delay! (Help Net Security, 8/13/18)
- Critical Vulnerability Patched in Oracle Database (Security Week, 8/13/18)