ALERT: Update Oracle Database for critical vulnerability

Monday, August 13, 2018

8/14/18 Update: Version 18 of Oracle Database is also affected by this vulnerability. If you are running version 18 on any operating system and have not yet applied the July 2018 CPU, do so now; that CPU addresses the vulnerability.

8/13/18: The information below was sent to U-M IT staff groups via email on August 13, 2018. It is intended for U-M IT staff who are responsible for university servers (on premise or in the cloud) running Oracle Database.

Summary

A critical vulnerability has been discovered in Oracle Database that could allow for complete compromise of the database, as well as shell access to the underlying server. Successful exploitation of this vulnerability could allow a remote, authenticated attacker to take complete control of the product and establish shell access to the underlying server.

Problem

The Oracle Java Virtual Machine (JVM) component of Oracle Database has a critical vulnerability that allows an authenticated user to access the entire Oracle database and gain shell-level access to the underlying server.

Affected Versions

  • Oracle Database versions 11.2.0.4, 12.2.0.1, 12.1.0.2 on Windows
  • Oracle Database versions 12.1.0.2 on Unix or Linux

Action Items

Update Oracle Database or disable Oracle JVM as soon as possible. We recommend you do both if possible and appropriate for your environment.

  • Update Oracle Database on Windows, Unix, or Linux to the latest version provided by Oracle immediately after appropriate testing. See Oracle Security Alert Advisory - CVE-2018-3110 for details.
    • Versions 11.2.0.4 and 12.2.0.1 on Windows. Apply the patches provided by Oracle.
    • Version 12.1.0.2 on Windows or any version of the database on Linux or Unix. If you have not yet applied the July 2018 CPU, do so now; that CPU addresses the vulnerability.
  • Disable the Oracle JVM if it is not required in your environment. Disabling it will mitigate the attack vector for this vulnerability, and the Oracle JVM is not required in many environments.

In addition, Oracle recommends that those running Oracle Database enforce password complexity (see NIST Special Publication 800-63B, Appendix A).

Threats

There are currently no reports of this vulnerability being exploited in the wild, but Oracle strongly recommends that customers take action without delay. The complexity of exploitation is low.

Technical Details

The vulnerability resides in the Java Virtual Machine component of the Oracle Database Server and does not require user interaction. It allows low-privileged attackers that have Create Session privilege with network access via Oracle Net to compromise the Java VM component. The successful exploitation of this vulnerability could allow a remote, authenticated attacker to take complete control of the product and establish shell access to the underlying server. The vulnerability is easy to exploit but cannot be exploited remotely unless the attacker is authenticated.

    How We Protect U-M

    In addition to notifying U-M IT staff through this notice and outreach to other stakeholders:

    • Information Assurance is scanning campus networks for vulnerable hosts so we can work directly with the owners of those hosts to ensure they are patched.
    • Information and Technology Services (ITS) Database Administration has already begun to apply the Oracle patches and disable Oracle JVM where it is not necessary.

    Information for Users

    Oracle Database is typically installed and maintained by IT staff. General computer users do not need to do anything to address this vulnerability.