VENDOR UPDATE | 16 October 2019

Oracle Database Critical Patch And Security Update October 2019

Description

A Critical Patch Update is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Please review our previous Critical Patch Update advisories for more information regarding earlier published security fixes.

Oracle Database Server Executive Summary

This Critical Patch Update contains 11 NEW security fixes for the Oracle Database Server:

  • 10 NEW security fixes for the Oracle Database Server.
    • 2 of these vulnerabilities may be remotely exploitable without authentication, (i.e., may be exploited over a network without requiring user credentials).
    • None of these fixes are applicable to client-only installations, (i.e., installations that do not have the Oracle Database Server installed).
  • 1 NEW security patch for Oracle NoSQL Database. This vulnerability is remotely exploitable without authentication, (i.e., may be exploited over a network without requiring user credentials).

These Critical patch updates are applicable to the following database versions:

  • Oracle Database 11.2.0.4
  • Oracle Database 12.1.0.2
  • Oracle Database 12.2.0.1
  • Oracle Database 18c
  • Oracle Database 19c
  • Oracle NoSQL Database: >19.3.12

Oracle Database Server Risk Matrix

CVE#ComponentPackage and/or Privilege RequiredProtocolRemote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISKSupported Versions Affected
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
ScopeConfid-
entiality
Inte-
grity
Avail-
ability
CVE-2019-2909 Java VM None Multiple Yes 6.8 Network High None None Changed None High None 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2019-2956 Core RDBMS (jackson-databind) Create Session Multiple No 5.7 Network Low Low Required Un-
changed
None None High 12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2019-2913 Core RDBMS Create Session OracleNet No 5.0 Network Low Low None Changed Low None None 12.2.0.1, 18c, 19c
CVE-2019-2939 Core RDBMS Create Session OracleNet No 5.0 Network Low Low None Changed Low None None 12.2.0.1, 18c, 19c
CVE-2018-2875 Core RDBMS Create Session OracleNet No 5.0 Network Low Low None Changed Low None None 12.2.0.1, 18c, 19c
CVE-2019-2734 Core RDBMS Create Session, Execute on DBMS_ADVISOR OracleNet No 4.3 Network Low Low None Un-
changed
None Low None 12.2.0.1, 18c, 19c
CVE-2018-11784 WLM (Apache Tomcat) None HTTP Yes 4.3 Network Low None Required Un-
changed
None Low None 12.2.0.1, 18c, 19c
CVE-2019-2954 Core RDBMS Create Session, Create Procedure Multiple No 3.9 Local Low Low Required Un-
changed
None Low Low 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2019-2955 Core RDBMS Local Logon Multiple No 3.9 Local Low Low Required Un-
changed
None Low Low 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
CVE-2019-2940 Core RDBMS Create Session OracleNet No 2.3 Local Low High None Un-
changed
None Low None 12.1.0.2, 12.2.0.1, 18c

Additional CVE's Addressed Are below:

  • The patch for CVE-2018-11784 also addresses CVE-2018-8034.
  • The patch for CVE-2019-2956 also addresses CVE-2018-1000873, CVE-2018-14719, CVE-2018-14720, CVE-2018-14721, CVE-2018-19360, CVE-2018-19361 and CVE-2018-19362.

Oracle NoSQL Database Risk Matrix

CVE#ProductComponentProtocolRemote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISKSupported Versions Affected
Base
Score
Attack
Vector
Attack
Complex
Privs
Req'd
User
Interact
ScopeConfid-
entiality
Inte-
grity
Avail-
ability
CVE-2018-14721 Oracle NoSQL Database NoSQL (jackson-databind) HTTP Yes 10.0 Network Low None None Changed High High High Prior to 19.3.12

Additional CVE's Addressed Are below:

  • The patch for CVE-2018-14721 also addresses CVE-2018-1000873, CVE-2018-11798, CVE-2018-1320, CVE-2018-14718, CVE-2018-14719, CVE-2018-14720, CVE-2018-19360, CVE-2018-19361, CVE-2018-19362, CVE-2019-12086, CVE-2019-12384 and CVE-2019-12814.

Further Help and Assistance

For further advice about Oracle Critical Patch Updates, including installation planning and consultancy services, please contact one of our pre-sales technical team on 0330 332 6223 or visit our website nlightn-IT

GET IN TOUCH

Fill out the form and our specialist will contact you for a consultation.

GET IN TOUCH

PARTNERS WE WORK WITH
  • Microsoft
  • Db Visit
  • Oracle
  • Tibero
  • SplashBI
nlight-IT