Updated: Sep 14, 2018
Oracle warns customers to patch a remotely exploitable flaw affecting Oracle Database on Windows servers.
Database giant Oracle has released a fix for a severe bug in Oracle Database Server on Windows.
The Oracle Database Server bug, tagged with the identifier CVE-2018-3110, is about as severe as is possible because it can not only give an attacker "complete control" over the vulnerable 11g, 12c, and new 18c database, but also provides shell access to the Windows server it is running on top of.
The bug, which stems from a Java virtual-machine component of the database, has a CVSS v3 base score of 9.9 out of 10.
Vulnerable versions include Oracle Database versions 188.8.131.52 and 184.108.40.206 on Windows. It also affects version 220.127.116.11 on Windows, Linux, and Unix servers, however the latter two were patched in Oracle's planned July update, according to Oracle.
Admins responsible for Oracle Database versions 18.104.22.168 and 22.214.171.124 on Windows need to apply the patches in the advisory for CVE-2018-3110, while anyone running 126.96.36.199 on Windows -- as well as any version of the database on Linux or Unix that did not apply the July updates -- should apply the updates available here.
"Due to the nature of this vulnerability, Oracle strongly recommends that customers take action without delay."
The flaw can be explored remotely, however an attacker would need to possess valid user credentials.
The bug is easily exploitable and "allows low privileged attacker having Create Session privilege with network access via Oracle Net to compromise Java VM", Oracle explains in support notes.
"While the vulnerability is in Java VM, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java VM,"
Oracle did alert customers to the Database Server on Windows issue before this week's Patch Tuesday from Microsoft, which contained Windows kernel and OS fixes for the just disclosed Foreshadow speculative execution side channel attacks affecting Intel Core and Xeon CPU.
Foreshadow didn't impact Oracle's SPARC or Oracle Intel x86 servers, Oracle did release Foreshadow patches for its Oracle Linux OS, Solaris and VM Server for X86 products.