VENDOR UPDATE | 7 March 2018

Oracle Critical Patch and Security Updates January 2018 (revision 7)

Description

A Critical Patch Update is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Please review our previous Critical Patch Update advisories for more information regarding earlier published security fixes.

 

Oracle Database Server Executive Summary

This Critical Patch Update contains 5 new security fixes for the Oracle Database Server:

  • 3 of these vulnerabilities may be remotely exploitable without authentication, i.e. may be exploited over a network without requiring user credentials. 
  • 1 of these fixes is applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed.

These Critical patch updates are applicable to the following database versions:

  • Oracle Database 11.2.0.4
  • Oracle Database 12.1.0.2
  • Oracle Database 12.2.0.1
  • Oracle Database 12.2.0.4
CVE#ComponentPackage and/or Privilege RequiredProtocolRemote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISKSupported Versions AffectedNotes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
ScopeConfid-
entiality
Inte-
grity
Avail-
ability
CVE-2017-10282 Core RDBMS Create Session, Execute Catalog Role Oracle Net No 9.1 Network Low High None Changed High High High 12.1.0.2, 12.2.0.1  
CVE-2018-2680 Java VM Create Session, Create Procedure Multiple Yes 8.3 Network High None Required Changed High High High 11.2.0.4, 12.1.0.2, 12.2.0.1  
CVE-2017-12617 WLM (Apache Tomcat) None HTTP Yes 8.1 Network High None None Un-
changed
High High High 12.2.0.1  
CVE-2018-2699 Application Express None HTTP Yes 6.1 Network Low None Required Changed Low Low None Prior to 5.1.4.00.08  
CVE-2018-2575 Core RDBMS Local Logon Multiple No 2.0 Network High High Required Un-
changed
Low None None 11.2.0.4, 12.1.0.2, 12.2.0.1 See Note 1

Notes:

1. Applicable only to Windows platform.

Oracle Database Server Client-Only Installations

The following Oracle Database Server vulnerability included in this Critical Patch Update affects client-only installations: CVE-2018-2575.

 

Further Help and Assistance

For further advice about Oracle Critical Patch Updates, including installation planning and consultancy services, please contact one of our pre-sales technical team on 0330 332 6223 or visit our website nlightn-IT

GET IN TOUCH

Fill out the form and our specialist will contact you for a consultation.

GET IN TOUCH

PARTNERS WE WORK WITH
  • Microsoft
  • Db Visit
  • Oracle
  • Tibero
  • Tmaxsoft
  • Tmaxsoft
nlight-IT