The following was circulated to our NetSure360° managed service customers on Monday 13th August 2018.
Priority: Critical
Executive Summary: Oracle released an advisory on the 10th August 2018, advising that the Java VM component of Oracle Database versions 11.2.0.4, 12.1.0.2, 12.2.0.1 and 18 are affected by an easily exploitable vulnerability that allows a low privileged attacker to take complete control, and gain shell access to the host machine. [1]
The attacker will only require the Create Session privilege with network access via Oracle Net to exploit this vulnerability. Remote exploitation is possible, if the attacker can successfully authenticate and doesn’t require user interaction.
This vulnerability, CVE-2018-3110 has been assigned a CVSS 3.0 score of 9.9, giving it a rating of Critical.
Detect: Confirm all versions of Oracle Database that are running within the environment, and if they are at, or below versions 11.2.0.4, 12.1.0.2, 12.2.0.1 or 18.
Prevent: It is recommended by the vendor that the July 2018 Critical Patch Update [2] is applied.
React:
• Identify affected databases, and prioritise applying the Oracle July Critical Patch Update to them.
• If patching the affected products is not an available or immediate option, consider reviewing accounts with the Create Session privilege, and performing auditing on these accounts to ensure there is record of when and where they are accessed from.
Sources:
[1] http://www.oracle.com/technetwork/security-advisory/alert-cve-2018-3110-5032149.html
[2] http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
[3] https://blogs.oracle.com/oraclesecurity/security-alert-cve-2018-3110-released
[4] https://securityaffairs.co/wordpress/75310/hacking/cve-2018-3110-oracle-database.html
[5] https://nvd.nist.gov/vuln/detail/CVE-2018-3110
[6] https://sensorstechforum.com/cve-2018-3110-critical-vulnerability-oracle-database/
