-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                              ASB-2017.0163.2
                 Security Advisory: Oracle Database Server
                              18 October 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Oracle Database Server
Operating System:     UNIX variants (UNIX, Linux, OSX)
                      Windows
Impact/Access:        Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                      Modify Arbitrary Files          -- Existing Account      
                      Access Confidential Data        -- Existing Account      
Resolution:           Patch/Upgrade
CVE Names:            CVE-2017-10321 CVE-2017-10292 CVE-2017-10261
                      CVE-2017-10190 CVE-2016-8735 CVE-2016-6814
Member content until: Friday, November 17 2017
Reference:            ASB-2017.0120
                      ASB-2017.0118
                      ESB-2016.2846
                      ESB-2016.2795

Revision History:     October 18 2017: Updated OS Field
                      October 18 2017: Initial Release

OVERVIEW

        Multiple vulnerabilities have been identified in 
        Oracle Database Server, versions  11.2.0.4,  12.1.0.2, 12.2.0.1
        [1]


IMPACT

        The vendor has provided the following information regarding
        to the vulnerabilities.
        
        "This Critical Patch Update contains 6 new security fixes for
        the Oracle Database Server.   2 of these vulnerabilities may
        be remotely exploitable without authentication,  i.e.,  may
        be exploited over a network without requiring user
        credentials.   None of these fixes are applicable to client-
        only installations,  i.e., installations that do not have
        the Oracle Database Server  installed.  The English text
        form of this Risk Matrix can be found here."
        [1]
        
        
        "CVE-2017-10321
        
        8.8
        
        AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
        
        Easily exploitable vulnerability allows low privileged
        attacker having Create session privilege with logon to the
        infrastructure where Core RDBMS executes to compromise Core
        RDBMS.  While the vulnerability is in Core RDBMS, attacks
        may significantly impact additional products.  Successful
        attacks of this vulnerability can result in takeover of Core
        RDBMS. Note: This score is for Windows platform version
        11.2.0.4 of Database. For Windows platform version 12.1.0.2
        and Linux, the score is 7.8 with scope Unchanged.
        
        CVE-2016-6814
        
        8.3
        
        AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
        
        Difficult to exploit vulnerability allows unauthenticated
        attacker with network access via multiple protocols to
        compromise Spatial (Apache Groovy).  Successful attacks
        require human interaction from a person other than the
        attacker and while the vulnerability is in Spatial (Apache
        Groovy), attacks may significantly impact additional
        products. Successful attacks of this vulnerability can
        result in takeover of Spatial (Apache Groovy). Note:
        Component installed optionally. Not in the default
        installation.
        
        CVE-2017-10190
        
        8.2
        
        AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
        
        Easily exploitable vulnerability allows high privileged
        attacker having Create Session, Create Procedure privilege
        with logon to the infrastructure where Java VM executes to
        compromise Java VM.  While the vulnerability is in Java VM,
        attacks may significantly impact additional products.
        Successful attacks of this vulnerability can result in
        takeover of Java VM.
        
        CVE-2016-8735
        
        8.1
        
        AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
        
        Difficult to exploit vulnerability allows unauthenticated
        attacker with network access via multiple protocols to
        compromise WLM (Apache Tomcat).  Successful attacks of this
        vulnerability can result in takeover of WLM (Apache Tomcat).
        
        CVE-2017-10261
        
        6.5
        
        AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
        
        Easily exploitable vulnerability allows low privileged
        attacker having Create Session privilege with logon to the
        infrastructure where XML Database executes to compromise XML
        Database.  While the vulnerability is in XML Database,
        attacks may significantly impact additional products.
        Successful attacks of this vulnerability can result in
        unauthorized access to critical data or complete access to
        all XML Database accessible data. Note: This score is for
        Windows platform version 11.2.0.4 of Database. For Windows
        platform version 12.1.0.2 and Linux, the score is 5.5 with
        scope Unchanged.
        
        CVE-2017-10292
        
        2.3
        
        AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
        
        Easily exploitable vulnerability allows high privileged
        attacker having Create User privilege with logon to the
        infrastructure where RDBMS Security executes to compromise
        RDBMS Security.  Successful attacks of this vulnerability
        can result in  unauthorized update, insert or delete access
        to some of RDBMS Security accessible data."
        [2]


MITIGATION

        
        Oracle states:
        
        "Due to the threat posed by a successful attack, Oracle
        strongly recommends that customers apply CPU fixes as soon
        as possible. Until you apply the CPU fixes, it may be
        possible to reduce the risk of successful attack by blocking
        network protocols required by an attack. For attacks that
        require certain privileges or access to certain packages,
        removing the privileges or the ability to access the
        packages from users that do not need the privileges may help
        reduce the risk of successful attack. Both approaches may
        break application functionality, so Oracle strongly
        recommends that customers test changes on non-production
        systems. Neither approach should be considered a long-term
        solution as neither corrects the underlying problem." [1]


REFERENCES

        [1] Oracle Critical Patch Update Advisory - October 2017
            http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html

        [2] Text Form of Oracle Critical Patch Update - October 2017 Risk
            Matrices
            http://www.oracle.com/technetwork/security-advisory/cpuoct2017verbose-3236627.html

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWebNW4x+lLeg9Ub1AQhN8Q/9HkDnzXtMgpQgvIaI91xFT4PHXlQZDExO
RQLx/CdRl2zviGQJRrdKIhXRb4XQaQTNbIOFyk1Psn3VxVNX+W3r+XESJLay4LVE
FgqCzS5gihoqtSVmNzkz9YHhmD3i6mV79god7tbIOC9LCS84dd/uN/c5fC7/ETrg
esBRAiN10un3U+/7oXSFjnQiR8AmsmyhltPhwHMhrhNQc0FBnGsq2n7NGgN754gW
nYvcU5GkMruYhPRgxyBD8ac6Ts9m3/ybiI7wYqgx8fFOfQwwpVQV/WKR/lXgwCD/
hcQPYHIHbbEzAvAP/xj0t9Lcy5uq0e7OwatfVDHpVaz0F5LBBfER1qzdc1ZvvLql
q1y0jn5fnjCu/ErxFxWk2P5lpHUq9bd6ENZMD2s4+BbeH0kWX+JU1t/ODvK3p0pi
R07avRR78/h+NZRKixkKJp7SWa5hInP59qh5Gs44LoSFBYcdfk+dNVYuMZi98/Qp
qhs+Cnsb1Et3AF3RldgvQ6BVn9ZgCO2UvbLrsPA2h6Af5PhnjwYXnSP5lguUh/nT
U8LeFr4Op818lsT2nD+kHgSXIFrsc0Da/ZAb46d8KS9Hfq7xAB5OJTWvKGBRj44Z
P4ul2MIG+bMgB/+DDnp811vYoHWVhB3S5ACqN/Ivsa7ppejtQ+YKWTkW8nQeuSj+
AwM9qaHHiU4=
=64wT
-----END PGP SIGNATURE-----