A vulnerability was found in Oracle Database Server 11.2.0.4/12.1.0.2/12.2.0.1/18c/19c (Database Software) and classified as critical. This issue affects an unknown code block of the component Java VM. The manipulation with an unknown input leads to a privilege escalation vulnerability. Impacted is confidentiality, integrity, and availability. The summary by CVE is:

Vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected are 11.2.0.4, 12.1.0.11,29,212.2.0.1, 18c and 19c. Difficult to exploit vulnerability allows low privileged attacker having Create Session privilege with network access via multiple protocols to compromise Java VM. Successful attacks of this vulnerability can result in takeover of Java VM. CVSS 3.0 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).

The weakness was published 01/15/2020 as Oracle Critical Patch Update Advisory - January 2020 as confirmed advisory (Website). The advisory is shared at oracle.com. The identification of this vulnerability is CVE-2020-2518. The exploitation is known to be difficult. The attack may be initiated remotely. The requirement for exploitation is a simple authentication. Neither technical details nor an exploit are publicly available.

Upgrading eliminates this vulnerability. A possible mitigation has been published immediately after the disclosure of the vulnerability.

Productinfo

Type

• Database Software

Vendor

• Oracle

Name

• Database Server

Version

• 11.2.0.4
• 12.1.0.2
• 12.2.0.1
• 18c
• 19c

License

• commercial

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion