Database giant Oracle has released a fix for a severe bug in Oracle Database Server on Windows.
The Oracle Database Server bug, tagged with the identifier CVE-2018-3110, is about as severe as is possible because it can not only give an attacker "complete control" over the vulnerable 11g, 12c, and new 18c database, but also provides shell access to the Windows server it is running on top of.
The bug, which stems from a Java virtual-machine component of the database, has a CVSS v3 base score of 9.9 out of 10.
Vulnerable versions include Oracle Database versions 184.108.40.206 and 220.127.116.11 on Windows. It also affects version 18.104.22.168 on Windows, Linux, and Unix servers, however the latter two were patched in Oracle's planned July update, according to Oracle.
Admins responsible for Oracle Database versions 22.214.171.124 and 126.96.36.199 on Windows need to apply the patches in the advisory for CVE-2018-3110, while anyone running 188.8.131.52 on Windows -- as well as any version of the database on Linux or Unix that did not apply the July updates -- should apply the updates available here.
"Due to the nature of this vulnerability, Oracle strongly recommends that customers take action without delay."
The flaw can be explored remotely, however an attacker would need to possess valid user credentials.
The bug is easily exploitable and "allows low privileged attacker having Create Session privilege with network access via Oracle Net to compromise Java VM", Oracle explains in support notes.
"While the vulnerability is in Java VM, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java VM,"
Oracle did alert customers to the Database Server on Windows issue before this week's Patch Tuesday from Microsoft, which contained Windows kernel and OS fixes for the just disclosed Foreshadow speculative execution side channel attacks affecting Intel Core and Xeon CPU.
Foreshadow didn't impact Oracle's SPARC or Oracle Intel x86 servers, Oracle did release Foreshadow patches for its Oracle Linux OS, Solaris and VM Server for X86 products.
PREVIOUS AND RELATED COVERAGE
Oracle is happy that Terix's CEO is being jailed and fined $100,000.
Fixes for vulnerabilities spread across 20 products and a Solaris patch that addresses the Spectre processor flaw.
The compute accelerator is optimized for graphics-intensive applications and machine learning inference.
Oracle is its own worst enemy when it comes to its cloud ambitions.
Google Cloud announcements bring deep learning and big data analytics beyond data scientists, but enterprises will want more.
Microsoft Surface Go (CNET)
The new Microsoft Surface Go is the perfect size for casual coffee-shop computing, but getting the full experience quickly drives up the price.