Well there’s something I wasn’t expecting to see… into my inbox I received notification of a new Oracle vulnerability, and it looks like a big one.
This new vulnerability, announced by Oracle here, indicates a new vulnerability with “a CVSS v3 base score of 9.9, and can result in complete compromise of the Oracle Database and shell access to the underlying server“.
This new vulnerability affects the following versions of Oracle’s Database product:
Devil is in the detail
As always, the devil would seem to be in the detail. While multiple versions are indicated, the scope of impact varies by platform:
- Oracle DB versions 184.108.40.206 and 220.127.116.11
- Oracle DB version 18.104.22.168 is also affected however patches were made available in the July 2018 CPU
- Linux + Unix
- Oracle DB versions 22.214.171.124, 126.96.36.199, 188.8.131.52 however patches were made available in the July 2018 CPU
Interestingly, version 18 is also impacted – a release that was originally only available on the Oracle Cloud or Oracle Engineered Systems however from end July 2018 was made available for Linux.
Comment on Risk
Oracle does note that the vulnerability can not be exploited over the network without authentication – ie. user credentials are required
This vulnerability is only for server installs, not for client only installs.
Given the nature of this vulnerability, Oracle is recommending that all customers take urgent action, following the guidance on their advisory.