VENDOR UPDATE | 22 October 2017
Oracle Critical Patch and Security Updates October 2017
Oracle Database Server
Oracle Database Server Executive Summary
This Critical Patch Update contains 6 new security fixes for the Oracle Database Server. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. None of these fixes are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed.
These Critical patch updates are applicable to the following database versions:
- Oracle Database 11.2.0.4
- Oracle Database 12.1.0.2
- Oracle Database 12.2.0.1
Oracle Database Server Risk Matrix
| CVE# | Component | Package and/or Privilege Required | Protocol | Remote Exploit without Auth.? | CVSS VERSION 3.0 RISK | Supported Versions Affected | Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score | Attack Vector | Attack Complex | Privs Req'd | User Interact | Scope | Confid- entiality | Inte- grity | Avail- ability | |||||||
| CVE-2017-10321 | Core RDBMS | Create session | Oracle Net | No | 8.8 | Local | Low | Low | None | Changed | High | High | High | 11.2.0.4, 12.1.0.2, 12.2.0.1 | See Note 1 |
| CVE-2016-6814 | Spatial (Apache Groovy) | None | Multiple | Yes | 8.3 | Network | High | None | Required | Changed | High | High | High | 12.2.0.1 | See Note 2 |
| CVE-2017-10190 | Java VM | Create Session, Create Procedure | Multiple | No | 8.2 | Local | Low | High | None | Changed | High | High | High | 11.2.0.4, 12.1.0.2, 12.2.0.1 | |
| CVE-2016-8735 | WLM (Apache Tomcat) | None | Multiple | Yes | 8.1 | Network | High | None | None | Un- changed |
High | High | High | 12.2.0.1 | |
| CVE-2017-10261 | XML Database | Create Session | Oracle Net | No | 6.5 | Local | Low | Low | None | Changed | High | None | None | 11.2.0.4, 12.1.0.2 | See Note 3 |
| CVE-2017-10292 | RDBMS Security | Create User | Oracle Net | No | 2.3 | Local | Low | High | None | Un- changed |
None | Low | None | 11.2.0.4, 12.1.0.2, 12.2.0.1 | |
Notes:
- This score is for Windows platform version 11.2.0.4 of Database. For Windows platform version 12.1.0.2 and Linux, the score is 7.8 with scope Unchanged.
- Component installed optionally. Not in the default installation.
- This score is for Windows platform version 11.2.0.4 of Database. For Windows platform version 12.1.0.2 and Linux, the score is 5.5 with scope Unchanged.
Additional CVEs addressed are below:
- The fix for CVE-2016-8735 also addresses CVE-2016-6816 and CVE-2016-8745
Further Help and Assistance
For further advice about Oracle Critical Patch Updates, including installation planning and consultancy services, please contact one of our pre-sales technical team on 0330 332 6223 or visit our website nlightn-IT
Share this article
Latest Articles
- 22 October 2021
Oracle Database Critical Patch And Security Update October 2021 - 22 July 2021
Oracle Database Critical Patch And Security Update July 2021 - 26 April 2021
Oracle Database Critical Patch And Security Update April 2021 - 22 January 2021
Oracle Database Critical Patch And Security Update January 2021 - 27 October 2020
Oracle Database Critical Patch And Security Update October 2020 - 16 July 2020
Oracle Database Critical Patch And Security Update July 2020 - 15 April 2020
Oracle Database Critical Patch And Security Update April 2020 - 23 January 2020
Oracle Database Critical Patch And Security Update January 2020 - 16 October 2019
Oracle Database Critical Patch And Security Update October 2019 - 17 July 2019
Oracle Database Critical Patch And Scurity Update July 2019
