2018年8月來自Oracle 的重要告警
Oracle 在8月接連發布了兩個安全性告警,
2018年8月10日 CVE-2018-3110議題
Oracle 最新發佈程式安全漏洞示警請留意 ”This Security Alert addresses an Oracle Database vulnerability in
versions 11.2.0.4 and 12.2.0.1 on Windows.
CVE-2018-3110 has a CVSS v3 base score of 9.9 ,
and can result in complete compromise of the Oracle Database and shell access
to the underlying server. CVE-2018-3110 also affects
Oracle Database version 12.1.0.2 on Windows as well as Oracle Database on Linux
and Unix, however patches for those versions and platforms were included
in the July 2018 CPU”.
2.5 Database OJVM Security fix
CVE-2018-3110 now updated for Database versions
Fix for CVE-2018-3110 is included in
Database OJVM patches for 18, 12.2.0.1, 12.1.0.2 and
11.2.0.4 and is documented in their respective tables in section '3.1.4
Oracle Database' as of 10-Aug-2018.
這議題是Java漏洞,只要Oracle
DB還沒更新到20180717 Patch的用戶端都會受影響,主要影響Oracle
DB 內建的OJVM,建議除了更新20180717 Patch,也順便更新OJVM Patch。
2018年8月31日 CVE-2018-11776議題
Oracle 最新發佈程式安全漏洞示警請留意 - “This Security Alert addresses
CVE-2018-11776, a vulnerability in Apache Struts 2. CVE-2018-11776 has received
a CVSS v3 base score of 9.8. When the alwaysSelectFullNamespace option is
enabled in a Struts 2 configuration file, and an ACTION tag is specified
without a namespace attribute or a wildcard namespace, this vulnerability can
be used to perform an unauthenticated remote code execution attack which can
lead to a complete compromise of the targeted system.” (Apache Struts 2是一個開放原始碼的Java EE網站應用程式的Web應用框架。用J2EE開發框架Apache
Struts2的網站伺服器的網管人員注意,如果網站伺服器所使用的框架版本是Struts如下所提及的版本就有資安風險的存在,請到Apache官網查詢)
請參考移除OJVM
https://mpower-info.blogspot.com/2018/10/oracle-jvm.html
請參考移除OJVM
https://mpower-info.blogspot.com/2018/10/oracle-jvm.html
留言
張貼留言