Oracle于今日发布了最新的 CPU 安全预警,CPU 全名是 Critical Patch Update,每个季度发布一次,用于提醒用户那些安全相关的已知漏洞。
在这一期的CPU预警中,我们注意到大量的 CVE 来自一个即将登录 科创板的明星企业 - 奇安信(Qi’anxin),以下列表中列出的都是其共享的安全漏洞:
- r00t4dm from A-TEAM of Legendsec at Qi’anxin Group: CVE-2020-14636, CVE-2020-14637, CVE-2020-14638, CVE-2020-14639, CVE-2020-14640, CVE-2020-14645, CVE-2020-14652
- Zhongcheng Li (CK01) from Zero-dayits Team of Legendsec at Qi’anxin Group: CVE-2020-14711, CVE-2020-14712
- Ziming Zhang from Codesafe Team of Legendsec at Qi’anxin Group: CVE-2020-14707, CVE-2020-14714, CVE-2020-14715
- Ziming Zhang from Codesafe Team of Legendsec at Qi’anxin Group working with Trend Micro Zero Day Initiative: CVE-2020-14698, CVE-2020-14699, CVE-2020-14700
其中 r00t4dm 被 Oracle 认定为具有 “深度安全” 意义。
Oracle感谢那些为我们的“深度安全”计划做出贡献的人们。 如果人们提供与安全漏洞有关的信息,观察或建议,这些人会得到深度安全贡献,这些人会在未来的发行版中对Oracle代码或文档进行重大修改,但是其重要性不至于将其分发到 重要补丁更新。
当然这这一期中,还有很多中国企业的贡献者名字:
lufei of Tencent Force
本次发布共有 27 个和数据库相关的安全漏洞:
19 new security patches for Oracle Database Server. 3 new security patches for Oracle Berkeley DB. 1 new security patch for Oracle Global Lifecycle Management. 3 new security patches for Oracle GoldenGate. 1 new security patch for Oracle TimesTen In-Memory Database.复制
重点关注一下 Oracle Database 产品。其中的主要漏洞是和各类组件相关,大多数用户无需关注。其中最核心的一个漏洞是 CVE-2016-9843 是和Core RDBMS (zlib) 相关,只影响到 18c 版本。
以下是DB相关列表,供参考:
| CVE# | Component | Package and/or Privilege Required | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complex |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2016-1000031 | MapViewer (Apache Commons FileUpload) | Valid User Account | HTTP | No | 8.8 | Network | Low | Low | None | Un- changed |
High | High | High | 12.2.0.1, 18c, 19c | See Note 1 |
| CVE-2020-2968 | Java VM | Create Session, Create Procedure | Multiple | No | 8.0 | Network | High | Low | Required | Changed | High | High | High | 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c | |
| CVE-2016-9843 | Core RDBMS (zlib) | Create Session | Oracle Net | No | 7.2 | Network | Low | High | None | Un- changed |
High | High | High | 18c | |
| CVE-2020-2969 | Data Pump | DBA role account | Oracle Net | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c | |
| CVE-2020-8112 | GeoRaster (OpenJPG) | Create Session | Oracle Net | No | 5.7 | Network | Low | Low | Required | Un- changed |
None | None | High | 18c | |
| CVE-2020-2513 | Oracle Application Express | SQL Workshop | HTTP | No | 5.4 | Network | Low | Low | Required | Changed | Low | Low | None | 5.1-19.2 | |
| CVE-2020-2971 | Oracle Application Express | SQL Workshop | HTTP | No | 5.4 | Network | Low | Low | Required | Changed | Low | Low | None | 5.1-19.2 | |
| CVE-2020-2972 | Oracle Application Express | SQL Workshop | HTTP | No | 5.4 | Network | Low | Low | Required | Changed | Low | Low | None | 5.1-19.2 | |
| CVE-2020-2973 | Oracle Application Express | SQL Workshop | HTTP | No | 5.4 | Network | Low | Low | Required | Changed | Low | Low | None | 5.1-19.2 | |
| CVE-2020-2974 | Oracle Application Express | SQL Workshop | HTTP | No | 5.4 | Network | Low | Low | Required | Changed | Low | Low | None | 5.1-19.2 | |
| CVE-2020-2976 | Oracle Application Express | SQL Workshop | HTTP | No | 5.4 | Network | Low | Low | Required | Changed | Low | Low | None | 5.1-19.2 | |
| CVE-2020-2975 | Oracle Application Express | SQL Workshop | HTTP | No | 5.4 | Network | Low | Low | Required | Changed | Low | Low | None | 5.1-19.2 | |
| CVE-2019-17569 | Workload Manager (Apache Tomcat) | None | HTTP | Yes | 4.8 | Network | High | None | None | Un- changed |
Low | Low | None | 12.2.0.1, 18c, 19c | |
| CVE-2020-2977 | Oracle Application Express | Valid User Account | HTTP | No | 4.6 | Network | Low | Low | Required | Un- changed |
Low | Low | None | 5.1-19.2 | |
| CVE-2020-2978 | Oracle Database - Enterprise Edition | DBA role account | Oracle Net | No | 4.1 | Network | Low | High | None | Changed | None | Low | None | 12.1.0.2, 12.2.0.1, 18c, 19c | |
| CVE-2019-13990 | MapViewer (Terracotta Quartz Scheduler, Apache Batik, Google Guava) | Local Logon | None | No | 0.0 | Local | Low | Low | Required | Un- changed |
None | None | None | 12.2.0.1, 18c, 19c | See Note 2 |
| CVE-2018-18314 | Oracle Database (Perl) | Local Logon | None | No | 0.0 | Local | High | High | None | Un- changed |
None | None | None | 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c | See Note 3 |
| CVE-2019-10086 | Spatial Studio (Apache Commons Beanutils) | Local Logon | None | No | 0.0 | Local | Low | Low | None | Un- changed |
None | None | None | Spatial Studio: Prior to 19.2.1 | See Note 4 |
| CVE-2019-16943 | TFA (jackson-databind) | Local Logon | None | No | 0.0 | Local | High | High | None | Un- changed |
None | None | None | 12.2.0.1, 18c, 19c | See Note 5 |
最后修改时间:2020-07-20 09:50:26
「喜欢这篇文章,您的关注和赞赏是给作者最好的鼓励」
关注作者
【版权声明】本文为墨天轮用户原创内容,转载时必须标注文章的来源(墨天轮),文章链接,文章作者等基本信息,否则作者和墨天轮有权追究责任。如果您发现墨天轮中有涉嫌抄袭或者侵权的内容,欢迎发送邮件至:contact@modb.pro进行举报,并提供相关证据,一经查实,墨天轮将立刻删除相关内容。
评论
相关阅读
【专家有话说第五期】在不同年龄段,DBA应该怎样规划自己的职业发展?
墨天轮编辑部
1155次阅读
2025-03-13 11:40:53
Oracle RAC ASM 磁盘组满了,无法扩容怎么在线处理?
Lucifer三思而后行
704次阅读
2025-03-17 11:33:53
Oracle+Deepseek+Dify 实现数据库数据实时分析
bicewow
619次阅读
2025-03-06 09:41:49
【ORACLE】ORACLE19C在19.13版本前的一个严重BUG-24761824
DarkAthena
516次阅读
2025-03-04 14:33:31
Oracle避坑指南|同名表导出难题:如何精准排除指定用户下的表?
szrsu
491次阅读
2025-03-05 00:42:34
Ogg23ai高手必看-MySQL Innodb Cluster跟oracle的亲密接触
曹海峰
426次阅读
2025-03-04 21:56:13
2月“墨力原创作者计划”获奖名单公布
墨天轮编辑部
411次阅读
2025-03-13 14:38:19
【ORACLE】char类型和sql优化器发生的“错误”反应
DarkAthena
390次阅读
2025-03-04 23:05:01
什么,oracle 主机用户被删了?原来是虚惊一场!
Lucifer三思而后行
374次阅读
2025-03-03 21:12:09
Oracle RAC 数据文件添加成本存储的解决办法
ByteHouse
319次阅读
2025-02-26 16:40:50
