VENDOR UPDATE | 22 October 2017

Oracle Critical Patch and Security Updates October 2017

Oracle Database Server

Oracle Database Server Executive Summary

This Critical Patch Update contains 6 new security fixes for the Oracle Database Server.  2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  None of these fixes are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed.

These Critical patch updates are applicable to the following database versions:

  • Oracle Database 11.2.0.4
  • Oracle Database 12.1.0.2
  • Oracle Database 12.2.0.1

Oracle Database Server Risk Matrix

 

CVE#ComponentPackage and/or Privilege RequiredProtocolRemote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISKSupported Versions AffectedNotes
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
ScopeConfid-
entiality
Inte-
grity
Avail-
ability
CVE-2017-10321 Core RDBMS Create session Oracle Net No 8.8 Local Low Low None Changed High High High 11.2.0.4, 12.1.0.2, 12.2.0.1 See Note 1
CVE-2016-6814 Spatial (Apache Groovy) None Multiple Yes 8.3 Network High None Required Changed High High High 12.2.0.1 See Note 2
CVE-2017-10190 Java VM Create Session, Create Procedure Multiple No 8.2 Local Low High None Changed High High High 11.2.0.4, 12.1.0.2, 12.2.0.1  
CVE-2016-8735 WLM (Apache Tomcat) None Multiple Yes 8.1 Network High None None Un-
changed
High High High 12.2.0.1  
CVE-2017-10261 XML Database Create Session Oracle Net No 6.5 Local Low Low None Changed High None None 11.2.0.4, 12.1.0.2 See Note 3
CVE-2017-10292 RDBMS Security Create User Oracle Net No 2.3 Local Low High None Un-
changed
None Low None 11.2.0.4, 12.1.0.2, 12.2.0.1  

 

Notes:

  • This score is for Windows platform version 11.2.0.4 of Database. For Windows platform version 12.1.0.2 and Linux, the score is 7.8 with scope Unchanged.
  • Component installed optionally. Not in the default installation.
  • This score is for Windows platform version 11.2.0.4 of Database. For Windows platform version 12.1.0.2 and Linux, the score is 5.5 with scope Unchanged.

Additional CVEs addressed are below:

  • The fix for CVE-2016-8735 also addresses CVE-2016-6816 and CVE-2016-8745

Further Help and Assistance

For further advice about Oracle Critical Patch Updates, including installation planning and consultancy services, please contact one of our pre-sales technical team on 0330 332 6223 or visit our website nlightn-IT

GET IN TOUCH

Fill out the form and our specialist will contact you for a consultation.

GET IN TOUCH

PARTNERS WE WORK WITH
  • Microsoft
  • Db Visit
  • Oracle
  • Tibero
  • Tmaxsoft
  • Tmaxsoft
nlight-IT