Developers recommend installing update patches as soon as possible
According to reports of cyber security organization experts from the International Institute of Cyber Security, Oracle urges its users to patch their Oracle Database installations to solve a critical security issue that could fully compromise the Oracle database and shell access to the underlying server.
About the vulnerability (CVE-2018-3110)
According to cyber security organization experts, vulnerability (CVE-2018-3110) affects the Oracle Database management system in its 184.108.40.206 and 220.127.116.11 versions in Windows and is apparently easy to exploit, but can only be exploited remotely by an attacker with authentication. The vulnerability is in the Java Virtual Machine component of the Oracle system. It does not require user interaction and allows an attacker with access to the system to compromise this component through Oracle Net.
“The vulnerability CVE-2018-3110 also affects Oracle version 18.104.22.168 on Windows as well as Oracle on Linux and Unix; however, patches for those versions and platforms were issued since July”, Oracle shared in a statement. “Customers running Oracle Database versions 22.214.171.124 and 126.96.36.199 on Windows must install the patches provided by the company. Customers running the 188.8.131.52 version on Windows or any version of the database on Linux or Unix must apply the update patches launched in July 2018 if they have not already done so”, the company statement continued.
The solution, which has been offered since last Friday, does not apply to customer-only installations, that is, installations that do not have Oracle Database Server installed.
“Due to the nature of this vulnerability, Oracle strongly recommends that customers act without delay”, the company said, although according to reports of experts on cyber security organization, it is unknown whether the vulnerability is being exploited; it is also unknown how it was discovered.
Working as a cyber security solutions architect, Alisa focuses on bug bounty and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.