Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2017.0163.2 Security Advisory: Oracle Database Server 18 October 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Oracle Database Server Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Modify Arbitrary Files -- Existing Account Access Confidential Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2017-10321 CVE-2017-10292 CVE-2017-10261 CVE-2017-10190 CVE-2016-8735 CVE-2016-6814 Member content until: Friday, November 17 2017 Reference: ASB-2017.0120 ASB-2017.0118 ESB-2016.2846 ESB-2016.2795 Revision History: October 18 2017: Updated OS Field October 18 2017: Initial Release OVERVIEW Multiple vulnerabilities have been identified in Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.2.0.1 [1] IMPACT The vendor has provided the following information regarding to the vulnerabilities. "This Critical Patch Update contains 6 new security fixes for the Oracle Database Server. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these fixes are applicable to client- only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here." [1] "CVE-2017-10321 8.8 AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Easily exploitable vulnerability allows low privileged attacker having Create session privilege with logon to the infrastructure where Core RDBMS executes to compromise Core RDBMS. While the vulnerability is in Core RDBMS, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Core RDBMS. Note: This score is for Windows platform version 11.2.0.4 of Database. For Windows platform version 12.1.0.2 and Linux, the score is 7.8 with scope Unchanged. CVE-2016-6814 8.3 AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Spatial (Apache Groovy). Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Spatial (Apache Groovy), attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Spatial (Apache Groovy). Note: Component installed optionally. Not in the default installation. CVE-2017-10190 8.2 AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H Easily exploitable vulnerability allows high privileged attacker having Create Session, Create Procedure privilege with logon to the infrastructure where Java VM executes to compromise Java VM. While the vulnerability is in Java VM, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java VM. CVE-2016-8735 8.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise WLM (Apache Tomcat). Successful attacks of this vulnerability can result in takeover of WLM (Apache Tomcat). CVE-2017-10261 6.5 AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N Easily exploitable vulnerability allows low privileged attacker having Create Session privilege with logon to the infrastructure where XML Database executes to compromise XML Database. While the vulnerability is in XML Database, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all XML Database accessible data. Note: This score is for Windows platform version 11.2.0.4 of Database. For Windows platform version 12.1.0.2 and Linux, the score is 5.5 with scope Unchanged. CVE-2017-10292 2.3 AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N Easily exploitable vulnerability allows high privileged attacker having Create User privilege with logon to the infrastructure where RDBMS Security executes to compromise RDBMS Security. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of RDBMS Security accessible data." [2] MITIGATION Oracle states: "Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. Until you apply the CPU fixes, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem." [1] REFERENCES [1] Oracle Critical Patch Update Advisory - October 2017 http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html [2] Text Form of Oracle Critical Patch Update - October 2017 Risk Matrices http://www.oracle.com/technetwork/security-advisory/cpuoct2017verbose-3236627.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWebNW4x+lLeg9Ub1AQhN8Q/9HkDnzXtMgpQgvIaI91xFT4PHXlQZDExO RQLx/CdRl2zviGQJRrdKIhXRb4XQaQTNbIOFyk1Psn3VxVNX+W3r+XESJLay4LVE FgqCzS5gihoqtSVmNzkz9YHhmD3i6mV79god7tbIOC9LCS84dd/uN/c5fC7/ETrg esBRAiN10un3U+/7oXSFjnQiR8AmsmyhltPhwHMhrhNQc0FBnGsq2n7NGgN754gW nYvcU5GkMruYhPRgxyBD8ac6Ts9m3/ybiI7wYqgx8fFOfQwwpVQV/WKR/lXgwCD/ hcQPYHIHbbEzAvAP/xj0t9Lcy5uq0e7OwatfVDHpVaz0F5LBBfER1qzdc1ZvvLql q1y0jn5fnjCu/ErxFxWk2P5lpHUq9bd6ENZMD2s4+BbeH0kWX+JU1t/ODvK3p0pi R07avRR78/h+NZRKixkKJp7SWa5hInP59qh5Gs44LoSFBYcdfk+dNVYuMZi98/Qp qhs+Cnsb1Et3AF3RldgvQ6BVn9ZgCO2UvbLrsPA2h6Af5PhnjwYXnSP5lguUh/nT U8LeFr4Op818lsT2nD+kHgSXIFrsc0Da/ZAb46d8KS9Hfq7xAB5OJTWvKGBRj44Z P4ul2MIG+bMgB/+DDnp811vYoHWVhB3S5ACqN/Ivsa7ppejtQ+YKWTkW8nQeuSj+ AwM9qaHHiU4= =64wT -----END PGP SIGNATURE-----