Oracle Security Alert Advisory – CVE-2018-3110
This Security Alert addresses an Oracle Database vulnerability in versions 126.96.36.199 and 188.8.131.52 on Windows. CVE-2018-3110 has a CVSS v3 base score of 9.9, and can result in complete compromise of the Oracle Database and shell access to the underlying server. CVE-2018-3110 also affects Oracle Database version 184.108.40.206 on Windows as well as Oracle Database on Linux and Unix, however patches for those versions and platforms were included in the July 2018 CPU.
If you are running Oracle Database versions 220.127.116.11 and 18.104.22.168 on Windows, please apply the patches indicated below. If you are running version 22.214.171.124 on Windows or any version of the database on Linux or Unix and have not yet applied the July 2018 CPU, please do so.
Due to the nature of this vulnerability, Oracle strongly recommends that customers take action without delay.
Affected Products and Patch Information
Security vulnerabilities addressed by this Security Alert affect the products listed below. The product area is shown in the Patch Availability Document column. Please click on the links in the Patch Availability Document column below to access the documentation for patch availability information and installation instructions.
|Affected Products and Versions||Patch Availability Document|
|Oracle Database Server, versions 126.96.36.199, 188.8.131.52, 184.108.40.206, 18||Database|
Security Alert Supported Products and Versions
Patches released through the Security Alert program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. Oracle recommends that customers plan product upgrades to ensure that patches released through the Security Alert program are available for the versions they are currently running.
Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Security Alert. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.
Database, Fusion Middleware, Oracle Enterprise Manager products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.
- Oracle Critical Patch Updates, Security Alerts and Bulletins
- Oracle Critical Patch Updates and Security Alerts – Frequently Asked Questions
- Risk Matrix Definitions
- Use of Common Vulnerability Scoring System (CVSS) by Oracle
- English text version of the risk matrices
- Map of CVE to Advisory
- Software Error Correction Support Policy
The following people or organizations reported security vulnerabilities addressed by this Security Alert to Oracle: None credited in this Security Alert.
|2018-August-10||Rev 1. Initial Release.|
Oracle Database Server Risk Matrix
This Security Alert contains 1 new security fix for the Oracle Database Server. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without requiring user credentials. This fix is not applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.
|CVE#||Component||Package and/or Privilege Required||Protocol||Remote Exploit without Auth.?||CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)||Supported Versions Affected||Notes|
|Base Score||Attack Vector||Attack Complexity||PrivsReq’d||User Interact||Scope||Confidentiality||Integrity||Availability|
|CVE-2018-3110||Java VM||Create Session||Oracle Net||No||9.9||Network||Low||Low||None||Changed||High||High||High||220.127.116.11, 18.104.22.168, 22.214.171.124, 18|