Critical Vulnerability was discovered in the Java VM component of Oracle Database Server

Reference: CERT.be Advisory #2018-023
Version: 1.0
Affected software: Oracle Database Server versions 11.2.0.4, 12.1.0.2, 12.2.0.1 and 18.
Type: Privilege escalation to session privileges
CVE: CVE-2018-3310
CVSS: 9.9

Sources

- http://www.oracle.com/technetwork/security-advisory/alert-cve-2018-3110-...
- https://www.security-database.com/detail.php?alert=CVE-2018-3110
- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

Risks

Successful exploitation of this vulnerability can result in privilege escalation to session privileges. The attacker requires network access and low privileged credentials to compromise the Java Virtual machine, this can impact additional products relying on the Java Virtual Machine.

Summary

A vulnerability was discovered in the Java VM component of Oracle Database Server. Supported versions that are affected are 11.2.0.4, 12.1.0.2, 12.2.0.1 and 18.
This easily exploitable vulnerability allows an attacker with low privilege credentials who has access to the network upgrade the current privileges to session privileges via the Oracle Net protocol to compromise the Java Virtual Machine. Successful attacks of this vulnerability can result in a takeover of Java Virtual Machine and products relying on the Java Virtual Machine.

Recommend actions

CERT.be recommends users to always keep their systems up to date. Patches can be downloaded at the following address: http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html