VENDOR UPDATE | 18 July 2017

Oracle Critical Patch and Security Updates July 2017

Oracle Database Server

Oracle Database Server Executive Summary

This Critical Patch Update contains 5 new security fixes for the Oracle Database Server divided as follows:

  • 4 new security fixes for the Oracle Database Server.  2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  None of these fixes are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed.
  • 1 new security fix for Oracle REST Data Services.  This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 

These Critical patch updates are applicable to the following database versions:

  • Oracle Database 11.2.0.4
  • Oracle Database 12.1.0.2
  • Oracle Database 12.2.0.1

Oracle Database Server Risk Matrix

 

CVE#ComponentPackage and/or Privilege RequiredProtocolRemote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISKSupported Versions AffectedNotes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
ScopeConfid-
entiality
Inte-
grity
Avail-
ability
CVE-2017-10202 OJVM Create Session, Create Procedure Multiple No 9.9 Network Low Low None Changed High High High 11.2.0.4, 12.1.0.2, 12.2.0.1 See Note 1
CVE-2014-3566 DBMS_LDAP None LDAP Yes 6.8 Network High None None Changed High None None 11.2.0.4, 12.1.0.2  
CVE-2016-2183 Real Application Clusters None SSL/TLS Yes 6.8 Network High None Required Un-
changed
High High None 11.2.0.4, 12.1.0.2  
CVE-2017-10120 RDBMS Security Create Session, Select Any Dictionary Oracle Net No 1.9 Local High High None Un-
changed
None Low None 12.1.0.2  

 

Notes:

  1. This score is for Windows platforms. On non-Windows platforms Scope is Unchanged, giving a CVSS Base Score of 8.8.

 

Oracle REST Data Services Executive Summary

This Critical Patch Update contains 1 new security fix for Oracle REST Data Services.  This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 

Oracle REST Data Services Risk Matrix

 

CVE#ComponentPackage and/or Privilege RequiredProtocolRemote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISKSupported Versions AffectedNotes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
ScopeConfid-
entiality
Inte-
grity
Avail-
ability
CVE-2016-3092 Oracle REST Data Services None Multiple Yes 7.5 Network Low None None Un-
changed
None None High Prior to 3.0.10.25.02.36  

 

Further Help and Assistance

For further advice about Oracle Critical Patch Updates, including installation planning and consultancy services, please contact one of our pre-sales technical team on 0330 332 6223 or visit our website nlightn-IT

GET IN TOUCH

Fill out the form and our specialist will contact you for a consultation.

GET IN TOUCH

PARTNERS WE WORK WITH
  • Microsoft
  • Db Visit
  • Oracle
  • Tibero
  • Tmaxsoft
  • Tmaxsoft
nlight-IT