VENDOR UPDATE | 16 October 2019
Oracle Database Critical Patch And Security Update October 2019
Description
A Critical Patch Update is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Please review our previous Critical Patch Update advisories for more information regarding earlier published security fixes.
Oracle Database Server Executive Summary
This Critical Patch Update contains 11 NEW security fixes for the Oracle Database Server:
- 10 NEW security fixes for the Oracle Database Server.
- 2 of these vulnerabilities may be remotely exploitable without authentication, (i.e., may be exploited over a network without requiring user credentials).
- None of these fixes are applicable to client-only installations, (i.e., installations that do not have the Oracle Database Server installed).
- 1 NEW security patch for Oracle NoSQL Database. This vulnerability is remotely exploitable without authentication, (i.e., may be exploited over a network without requiring user credentials).
These Critical patch updates are applicable to the following database versions:
- Oracle Database 11.2.0.4
- Oracle Database 12.1.0.2
- Oracle Database 12.2.0.1
- Oracle Database 18c
- Oracle Database 19c
- Oracle NoSQL Database: >19.3.12
Oracle Database Server Risk Matrix
| CVE# | Component | Package and/or Privilege Required | Protocol | Remote Exploit without Auth.? | CVSS VERSION 3.0 RISK | Supported Versions Affected | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score | Attack Vector | Attack Complex | Privs Req'd | User Interact | Scope | Confid- entiality | Inte- grity | Avail- ability | ||||||
| CVE-2019-2909 | Java VM | None | Multiple | Yes | 6.8 | Network | High | None | None | Changed | None | High | None | 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c |
| CVE-2019-2956 | Core RDBMS (jackson-databind) | Create Session | Multiple | No | 5.7 | Network | Low | Low | Required | Un- changed |
None | None | High | 12.1.0.2, 12.2.0.1, 18c, 19c |
| CVE-2019-2913 | Core RDBMS | Create Session | OracleNet | No | 5.0 | Network | Low | Low | None | Changed | Low | None | None | 12.2.0.1, 18c, 19c |
| CVE-2019-2939 | Core RDBMS | Create Session | OracleNet | No | 5.0 | Network | Low | Low | None | Changed | Low | None | None | 12.2.0.1, 18c, 19c |
| CVE-2018-2875 | Core RDBMS | Create Session | OracleNet | No | 5.0 | Network | Low | Low | None | Changed | Low | None | None | 12.2.0.1, 18c, 19c |
| CVE-2019-2734 | Core RDBMS | Create Session, Execute on DBMS_ADVISOR | OracleNet | No | 4.3 | Network | Low | Low | None | Un- changed |
None | Low | None | 12.2.0.1, 18c, 19c |
| CVE-2018-11784 | WLM (Apache Tomcat) | None | HTTP | Yes | 4.3 | Network | Low | None | Required | Un- changed |
None | Low | None | 12.2.0.1, 18c, 19c |
| CVE-2019-2954 | Core RDBMS | Create Session, Create Procedure | Multiple | No | 3.9 | Local | Low | Low | Required | Un- changed |
None | Low | Low | 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c |
| CVE-2019-2955 | Core RDBMS | Local Logon | Multiple | No | 3.9 | Local | Low | Low | Required | Un- changed |
None | Low | Low | 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c |
| CVE-2019-2940 | Core RDBMS | Create Session | OracleNet | No | 2.3 | Local | Low | High | None | Un- changed |
None | Low | None | 12.1.0.2, 12.2.0.1, 18c |
Additional CVE's Addressed Are below:
- The patch for CVE-2018-11784 also addresses CVE-2018-8034.
- The patch for CVE-2019-2956 also addresses CVE-2018-1000873, CVE-2018-14719, CVE-2018-14720, CVE-2018-14721, CVE-2018-19360, CVE-2018-19361 and CVE-2018-19362.
Oracle NoSQL Database Risk Matrix
| CVE# | Product | Component | Protocol | Remote Exploit without Auth.? | CVSS VERSION 3.0 RISK | Supported Versions Affected | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score | Attack Vector | Attack Complex | Privs Req'd | User Interact | Scope | Confid- entiality | Inte- grity | Avail- ability | ||||||
| CVE-2018-14721 | Oracle NoSQL Database | NoSQL (jackson-databind) | HTTP | Yes | 10.0 | Network | Low | None | None | Changed | High | High | High | Prior to 19.3.12 |
Additional CVE's Addressed Are below:
- The patch for CVE-2018-14721 also addresses CVE-2018-1000873, CVE-2018-11798, CVE-2018-1320, CVE-2018-14718, CVE-2018-14719, CVE-2018-14720, CVE-2018-19360, CVE-2018-19361, CVE-2018-19362, CVE-2019-12086, CVE-2019-12384 and CVE-2019-12814.
Further Help and Assistance
For further advice about Oracle Critical Patch Updates, including installation planning and consultancy services, please contact one of our pre-sales technical team on 0330 332 6223 or visit our website nlightn-IT
Share this article
Latest Articles
- 22 October 2021
Oracle Database Critical Patch And Security Update October 2021 - 22 July 2021
Oracle Database Critical Patch And Security Update July 2021 - 26 April 2021
Oracle Database Critical Patch And Security Update April 2021 - 22 January 2021
Oracle Database Critical Patch And Security Update January 2021 - 27 October 2020
Oracle Database Critical Patch And Security Update October 2020 - 16 July 2020
Oracle Database Critical Patch And Security Update July 2020 - 15 April 2020
Oracle Database Critical Patch And Security Update April 2020 - 23 January 2020
Oracle Database Critical Patch And Security Update January 2020 - 16 October 2019
Oracle Database Critical Patch And Security Update October 2019 - 17 July 2019
Oracle Database Critical Patch And Scurity Update July 2019
