back to article Oracle: Run, don't walk, to patch this critical Database takeover bug

Oracle is advising customers to update their database software following the discovery and disclosure of a critical remote code execution vulnerability. The flaw, dubbed CVE-2018-3110 was given a CVSS base score of 9.9 (out of 10) and Oracle warns that successful exploit of the bug "can result in complete compromise of the …

  1. Nate Amsden

    could disable java

    Though it is enabled by default, I remember disabling it on my last installs since the app that I use oracle with (vCenter) doesn't need it.

    SQL> select comp_name from dba_registry;

    COMP_NAME

    --------------------------------------------------------------------------------

    Oracle Enterprise Manager

    Oracle XML Database

    Oracle Text

    Oracle Workspace Manager

    Oracle Database Catalog Views

    Oracle Database Packages and Types

    6 rows selected.

    You can probably do it on the fly(as in don't have to reinstall) as well assuming you don't need it:

    http://fast-dba.blogspot.com/2014/04/how-to-remove-unwanted-components-from.html

  2. Kevin McMurtrie Silver badge

    It's okay

    No hacker wants to face an Oracle licensing violation audit.

    1. Aladdin Sane

      Re: It's okay

      Sounds like an appropriate punishment for hackers.

  3. FF22

    What?

    "The flaw itself is found in the JavaVM component of Oracle Database Server and is not considered a remote code exploit flaw, as it requires the attacker have a connection to the server via Oracle Net, the protocol Oracle servers use to connect with client applications"

    It's not a remote exploit, because it requires a connection to the server? That's the very definition of a remote exploit, ie. that it can be execute over a network connection, and does not require local access to the target.

    1. John Riddoch

      Re: What?

      I assume it's a terminology thing - for it to be a "remote code exploit flaw", it may need to be an attack vector for non-authenticated users. As you have to be logged into the database, it's not quite as bad as some other flaws, but still needs patched.

      1. Amos1

        Re: What?

        Are you certain you have to be logged in? I've never seen a CVSS 9.9 that required authentication. Usually if it's above 7 or 8 then it's unauthenticated. I think by default that all users are granted CREATE SESSION. Also remember that Oracle has a long history of down-rating their vulnerabilities but man, there isn't much difference from the max of 10.0 and 9.9

        I wonder if a web app could be used to exploit this unauthenticated. Web user hits login page, service account hits database, kind of thing.

        OT, does anybody know why the maximum rating is 10.0 when it's impossible to have a 10.1? Seems silly.

  4. JLV

    is JavaVM what supports Java, not PLSQL, Stored Procedures, on the database engine?

  5. Anonymous Coward
    IT Angle

    I don't understand the stock photo.

    Why's her mouth open so wide? What's this got to do with the story?

  6. Aodhhan

    I have to ask...

    Since Oracle has a horrible reputation of fixing patches--not to mention the high number of EASY exploits; why are you still using this database, and/or any application requiring Oracle Java?

    Fortunately, the two companies I've worked for in the past five years have both pretty much phased all Oracle products out--including Java based web apps. Not to mention, getting rid of applications which embed Oracle into their products. Such as Symantec DLP.

    1. Anonymous Coward
      Anonymous Coward

      Re: I have to ask...

      "why are you still using this database,"

      Have you tried the alternatives? They're even worse. Last time I was involved with sybase we considered it a win if none of the instances went down in a week. SQL Server? Yeah, thats fine for some periphery systems but its not a Bet The Business 24/7 DB. And don't get me started on NoSQL DBs, they're just a hipster nostalgia trip back to the 70s and are fucking useless for even moderately complex data relationships. RDBMS - the clues in the name.

    2. cbars Bronze badge

      Re: I have to ask...

      I have no doubt that the Oracle DB is riddled with bugs - but the idea that everything else is therefore better is quite childish in my opinion.

      This is the same mentality that says malware can't infect Linux systems*......

      The alternatives just aren't as valuable to target, or used in such a wide variety of environments. They're probably just as crap in slightly different ways. Actually, I'm feeling generous: probably a little bit less crap as they're probably written by fewer people with a wider knowledge of the overall codebase.

      *I am not disparaging Linux, just the idea that it's immune from bugs

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like