2018年8月來自Oracle 的重要告警


Oracle 8月接連發布了兩個安全性告警,










2018810 CVE-2018-3110議題
Oracle 最新發佈程式安全漏洞示警請留意 ”This Security Alert addresses an Oracle Database vulnerability in versions 11.2.0.4 and 12.2.0.1 on Windows. CVE-2018-3110 has a CVSS v3 base score of 9.9 , and can result in complete compromise of the Oracle Database and shell access to the underlying server. CVE-2018-3110 also affects Oracle Database version 12.1.0.2 on Windows as well as Oracle Database on Linux and Unix, however patches for those versions and platforms were included in the July 2018 CPU”.

2.5 Database OJVM Security fix CVE-2018-3110 now updated for Database versions
Fix for CVE-2018-3110 is included in Database OJVM patches for 18, 12.2.0.1, 12.1.0.2 and 11.2.0.4 and is documented in their respective tables in section '3.1.4 Oracle Database' as of 10-Aug-2018.

這議題是Java漏洞,只要Oracle DB還沒更新到20180717 Patch的用戶端都會受影響,主要影響Oracle DB 內建的OJVM,建議除了更新20180717 Patch,也順便更新OJVM Patch


2018831 CVE-2018-11776議題

Oracle 最新發佈程式安全漏洞示警請留意 - This Security Alert addresses CVE-2018-11776, a vulnerability in Apache Struts 2. CVE-2018-11776 has received a CVSS v3 base score of 9.8. When the alwaysSelectFullNamespace option is enabled in a Struts 2 configuration file, and an ACTION tag is specified without a namespace attribute or a wildcard namespace, this vulnerability can be used to perform an unauthenticated remote code execution attack which can lead to a complete compromise of the targeted system. (Apache Struts 2是一個開放原始碼的Java EE網站應用程式的Web應用框架。用J2EE開發框架Apache Struts2的網站伺服器的網管人員注意,如果網站伺服器所使用的框架版本是Struts如下所提及的版本就有資安風險的存在,請到Apache官網查詢)

請參考移除OJVM
https://mpower-info.blogspot.com/2018/10/oracle-jvm.html


留言

這個網誌中的熱門文章

MSSQL 瘦身 : 壓縮資料庫

InTrust 自動幫您蒐集 AD 帳號的登入/登出紀錄,長時間保存並保護

[SAP] 什麼是SAP? R/3 and S/4 是什麼意思? 差別在哪? (勿轉臉書)