Now on Demand Ransomware Resilience & Recovery Summit - All Sessions Available
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Critical Vulnerability Patched in Oracle Database

Oracle informed customers late on Friday that its Database product is affected by a critical vulnerability. Patches have been released and users have been advised to install them as soon as possible.

Oracle informed customers late on Friday that its Database product is affected by a critical vulnerability. Patches have been released and users have been advised to install them as soon as possible.

The security hole, tracked as CVE-2018-3110 with a CVSS score of 9.9, affects Oracle Database 11.2.0.4 and 12.2.0.1 on Windows. Version 12.1.0.2 on Windows and Database running on Unix or Linux are also impacted, but patches for these versions were included in Oracle’s July 2018 CPU.

The vulnerability, present in the Java VM component of Oracle Database Server, can be exploited to take complete control of the product and obtain shell access to the underlying server.

However, the vendor noted that the weakness cannot be exploited remotely without authentication, and that the fix does not apply to client-only installations (i.e. installations that do not have Database Server).

“Easily exploitable vulnerability allows low privileged attacker having Create Session privilege with network access via Oracle Net to compromise Java VM. While the vulnerability is in Java VM, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java VM,” Oracle said in its advisory.

The company “strongly recommends that customers take action without delay” to address CVE-2018-3110, which has led some to wonder if Oracle believes that the risk of exploitation is high.

Oracle patches critical Database flaw

Related: Oracle Patches New Spectre, Meltdown Vulnerabilities

Related: Hackers Target Poorly Patched Oracle WebLogic Flaw

Advertisement. Scroll to continue reading.

Related: Recently Patched Oracle WebLogic Flaw Exploited in the Wild

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

MSSP Dataprise has appointed Nima Khamooshi as Vice President of Cybersecurity.

Backup and recovery firm Keepit has hired Kim Larsen as CISO.

Professional services company Slalom has appointed Christopher Burger as its first CISO.

More People On The Move

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.