Well there’s something I wasn’t expecting to see… into my inbox I received notification of a new Oracle vulnerability, and it looks like a big one.

CVE-2018-3110

This new vulnerability, announced by Oracle here, indicates a new vulnerability with “a CVSS v3 base score of 9.9, and can result in complete compromise of the Oracle Database and shell access to the underlying server“.

Versions Impacted

This new vulnerability affects the following versions of Oracle’s Database product:

• 11.2.0.4
• 12.1.0.2
• 12.2.0.1
• 18

Devil is in the detail

As always, the devil would seem to be in the detail.  While multiple versions are indicated, the scope of impact varies by platform:

• Windows
  • Oracle DB versions 11.2.0.4 and 12.2.0.1
  • Oracle DB version 12.1.0.2 is also affected however patches were made available in the July 2018 CPU
• Linux + Unix
  • Oracle DB versions 11.2.0.4, 12.1.0.2, 12.2.0.1 however patches were made available in the July 2018 CPU

Interestingly, version 18 is also impacted – a release that was originally only available on the Oracle Cloud or Oracle Engineered Systems however from end July 2018 was made available for Linux.

Comment on Risk

Oracle does note that the vulnerability can not be exploited over the network without authentication – ie. user credentials are required

This vulnerability is only for server installs, not for client only installs.

Action

Given the nature of this vulnerability, Oracle is recommending that all customers take urgent action, following the guidance on their advisory.