CVE-2017-10202 in Database Server
Summary
by MITRE
Vulnerability in the OJVM component of Oracle Database Server. Supported versions that are affected are 11.2.0.4, 12.1.0.2 and 12.2.0.1. Easily exploitable vulnerability allows low privileged attacker having Create Session, Create Procedure privilege with network access via multiple protocols to compromise OJVM. While the vulnerability is in OJVM, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of OJVM. Note: This score is for Windows platforms. On non-Windows platforms Scope is Unchanged, giving a CVSS Base Score of 8.8. CVSS 3.0 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 01/01/2021
The CVE-2017-10202 vulnerability represents a critical security flaw within Oracle's Oracle Java Virtual Machine (OJVM) component of the Oracle Database Server. This vulnerability affects specific versions including 11.2.0.4, 12.1.0.2, and 12.2.0.1, making it particularly concerning for organizations maintaining these database versions. The vulnerability operates at the core of Oracle's Java execution environment, which serves as a critical component for executing Java-based applications and stored procedures within the database ecosystem.
The technical nature of this vulnerability lies within the OJVM's insufficient input validation and privilege handling mechanisms. Attackers with minimal database privileges including Create Session and Create Procedure can exploit this weakness to execute arbitrary code within the OJVM context. The vulnerability's exploitability is classified as easily accessible due to the relatively low privilege requirements and the network-based attack vector that allows remote exploitation. The attack surface is broad as it can be initiated through multiple network protocols, making detection and prevention more challenging for security teams.
The operational impact of successful exploitation is severe and potentially catastrophic for affected organizations. The vulnerability allows attackers to completely compromise the OJVM environment, potentially leading to full system takeover. This represents a significant elevation of privileges from the initial attack vector, as the compromised OJVM can then be used as a launching point for further attacks within the database infrastructure. The confidentiality, integrity, and availability impacts are rated as high, indicating that attackers could potentially access sensitive data, modify critical database components, or cause complete system outages.
This vulnerability aligns with CWE-20 (Improper Input Validation) and demonstrates characteristics consistent with attack patterns found in the MITRE ATT&CK framework under the T1059.007 technique for Command and Scripting Interpreter. The CVSS score of 9.9 for Windows platforms and 8.8 for non-Windows platforms reflects the severity of the threat, with the scope being elevated from unchanged to changed on Windows systems. Organizations should implement immediate mitigation strategies including applying the relevant Oracle security patches, restricting network access to database servers, implementing network segmentation, and monitoring for suspicious database activities. The vulnerability's impact extends beyond just the OJVM component as it can potentially affect other Oracle products that rely on the database's Java execution environment, making comprehensive security assessment and remediation essential for enterprise environments.