Oracle informed that its Database product is affected by a critical vulnerability. Patches have been released and users have been advised to install them as soon as possible.
The security hole, tracked as CVE-2018-3110 with a CVSS score of 9.9, affects Oracle Database 220.127.116.11 and 18.104.22.168 on Windows. Version 22.214.171.124 on Windows and Database running on Unix or Linux are also impacted, but patches for these versions were included in Oracle’s July 2018 CPU.
The vulnerability, present in the Java VM component of Oracle Database Server, can be exploited to take complete control of the product and obtain shell access to the underlying server.
However,Oralce noted that the weakness cannot be exploited remotely without authentication, and that the fix does not apply to client-only installations (i.e. installations that do not have Database Server).
“Easily exploitable vulnerability allows low privileged attacker having Create Session privilege with network access via Oracle Net to compromise Java VM. While the vulnerability is in Java VM, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java VM,” Oracle said.
The company “strongly recommends that customers take action without delay” to address CVE-2018-3110, which has led some to wonder if Oracle believes that the risk of exploitation is high.