Oracle 公司发布了最新一期的数据库重要补丁更新建议,我们整理和分析10月号的内容以便供用户和读者参考。
此关键补丁更新包含18个新的安全补丁,以及下文所述的针对Oracle数据库产品的其他第三方补丁。其中4个漏洞可能在没有验证的情况下被远程利用,即可能在不需要用户凭证的情况下通过网络被利用.其中1个补丁适用于仅限客户端的安装,即没有安装Oracle数据库服务器的安装。
以下几点需要关注:
- 四个远程无需用户凭证验证漏洞:这四个漏洞分别是
- Oracle Text 组件的 CVE-2020-14734
- Workload Manager 组件的 CVE-2020-13935
- Oracle Application Express 组件的 CVE-2020-11023,
- ORDS 组件的 CVE-2020-11023
这四个漏洞中,除了第一个,其余三个的攻击复杂性都是 Low,也就是容易被利用,如果数据库应用了这些组件,需要特别注意。
- 两个Core RDBMS内核级别漏洞:
- 第一个是 CVE-2019-12900,这个是去年的CVE,评分很高 8.8 分,攻击复杂性低,需要关注,但是这个漏洞需要 DBA 帐号,如果做好权限管控,则无需担忧;
- 第二个是 CVE-2020-14742,需要 SYSDBA帐号才能实现攻击,做好权限账户管控,则风险不大。
- 六个本地Application Express漏洞:
如果未使用 APEX,则无需关注,如果使用了,则需要关注,配合前几个 Apex漏洞统一修复; - 一个 Java VM 漏洞:
CVE-2020-14743,Java VM 的漏洞过去修复了很多,多数和反序列化有关,如果之前处置过,对权限细化管控,则无需担忧,Create Procedure 权限是这个 CVE 的条件,数据库权限严格管控,则无大风险; - 一个高危的 Scheduler 漏洞:
CVE-2020-14735 是和本地登录的任务调度相关漏洞,其积分高达8.8分,建议修复; - Valut和Developer三个小众组件漏洞:
涉及 SQL Developer、Database Vault 和 Filesystem 三个小众组件的漏洞应当极少部署,一般关注即可; - 一个 RDBMS Security 漏洞:
CVE-2020-14901 是和数据库安全相关的,和 Analyze Any 权限相关,做好权限管控,则风险不大。
总结一下,远程无需用户帐号的漏洞风险高,如果安装了相应组件,则需要抓紧修复;本地的主要漏洞,做好权限管理,则风险不高。如果条件许可,可以根据数据库组件情况,进行统一修复。
数据安全漏洞给我们持续的警示就是:
仅安装核心数据库组件,做好权限管理和帐号管控,多数风险可以自然免疫。
最后,值得注意的是,Oracle 数据库的这 18个 CVE 漏洞中,仅有一个来自中国用户 数据安全公司安华金和 的 Eddie Zhu:
Eddie Zhu of Beijing DBSEC Technology Co., Ltd: CVE-2020-14741
这个漏洞是和 Oracle Database Filesystem 相关的,需要高权限,实践风险应该不高:
Resource, Create Table, Create View, Create Procedure, Dbfs_role
感谢 Eddie Zhu.
以下是 Oracle 数据库部分信息的摘录。
Oracle Database Server Risk Matrix
| CVE# | Component | Package and/or Privilege Required | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complex |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2019-12900 | Core RDBMS (bzip2) | DBA Level Account | Oracle Net | No | 8.8 | Network | Low | Low | None | Un- changed |
High | High | High | 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c | |
| CVE-2020-14735 | Scheduler | Local Logon | None | No | 8.8 | Local | Low | Low | None | Changed | High | High | High | 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c | |
| CVE-2020-14734 | Oracle Text | None | Oracle Net | Yes | 8.1 | Network | High | None | None | Un- changed |
High | High | High | 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c | |
| CVE-2020-13935 | Workload Manager (Apache Tomcat) | None | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 12.2.0.1, 18c, 19c | |
| CVE-2020-11023 | Oracle Application Express (jQuery) | None | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | Prior to 20.2 | |
| CVE-2020-11023 | ORDS (jQuery) | None | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c | See Note 1 |
| CVE-2020-14762 | Oracle Application Express | SQL Workshop | HTTP | No | 5.4 | Network | Low | Low | Required | Changed | Low | Low | None | Prior to 20.2 | |
| CVE-2020-9281 | Oracle Application Express | Valid User Account | HTTP | No | 5.4 | Network | Low | Low | Required | Changed | Low | Low | None | Prior to 20.2 | |
| CVE-2020-14899 | Oracle Application Express Data Reporter | Valid User Account | HTTP | No | 5.4 | Network | Low | Low | Required | Changed | Low | Low | None | Prior to 20.2 | |
| CVE-2020-14900 | Oracle Application Express Group Calendar | Valid User Account | HTTP | No | 5.4 | Network | Low | Low | Required | Changed | Low | Low | None | Prior to 20.2 | |
| CVE-2020-14898 | Oracle Application Express Packaged Apps | Valid User Account | HTTP | No | 5.4 | Network | Low | Low | Required | Changed | Low | Low | None | Prior to 20.2 | |
| CVE-2020-14763 | Oracle Application Express Quick Poll | Valid User Account | HTTP | No | 5.4 | Network | Low | Low | Required | Changed | Low | Low | None | Prior to 20.2 | |
| CVE-2020-14741 | Database Filesystem | Resource, Create Table, Create View, Create Procedure, Dbfs_role | Oracle Net | No | 4.9 | Network | Low | High | None | Un- changed |
None | None | High | 11.2.0.4, 12.1.0.2, 12.2.0.1 | |
| CVE-2020-14901 | RDBMS Security | Analyze Any | Oracle Net | No | 4.9 | Network | Low | High | None | Un- changed |
High | None | None | 19c | |
| CVE-2020-14736 | Database Vault | Create Public Synonym | Oracle Net | No | 3.8 | Network | Low | High | None | Un- changed |
Low | Low | None | 11.2.0.4, 12.1.0.2, 12.2.0.1 | |
| CVE-2020-14743 | Java VM | Create Procedure | Multiple | No | 3.1 | Network | High | Low | None | Un- changed |
None | Low | None | 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c | |
| CVE-2020-14740 | SQL Developer Install | Client Computer User Account | Local Logon | No | 2.8 | Local | Low | Low | Required | Un- changed |
Low | None | None | 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c | |
| CVE-2020-14742 | Core RDBMS | SYSDBA level account | Oracle Net | No | 2.7 | Network | Low | High | None | Un- changed |
None | Low | None | 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c | |
Notes:
- Additional ORDS bugs are documented in the risk matrix "Oracle REST Data Services Risk Matrix"
Additional CVEs addressed are:
- The patch for CVE-2019-12900 also addresses CVE-2016-3189
- The patch for CVE-2020-11023 also addresses CVE-2019-11358 and CVE-2020-11022
- The patch for CVE-2020-13935 also addresses CVE-2020-11996, CVE-2020-13934 and CVE-2020-9484
- The patch for CVE-2020-14734 also addresses CVE-2016-10244, CVE-2016-10328, CVE-2016-5300, CVE-2016-6153, CVE-2017-10989, CVE-2017-13685, CVE-2017-13745, CVE-2017-14232, CVE-2017-15286, CVE-2017-7857, CVE-2017-7858, CVE-2017-7864, CVE-2017-8105, CVE-2017-8287, CVE-2018-18873, CVE-2018-19139, CVE-2018-19539, CVE-2018-19540, CVE-2018-19541, CVE-2018-19542, CVE-2018-19543, CVE-2018-20346, CVE-2018-20505, CVE-2018-20506, CVE-2018-20570, CVE-2018-20584, CVE-2018-20622, CVE-2018-20843, CVE-2018-6942, CVE-2018-8740, CVE-2018-9055, CVE-2018-9154, CVE-2018-9252, CVE-2019-15903, CVE-2019-16168, CVE-2019-5018, CVE-2019-8457, CVE-2019-9936 and CVE-2019-9937
Additional patches are included in this Critical Patch Update for the following non-exploitable CVEs in this Oracle product family:
- Core RDBMS (LZ4): CVE-2019-17543
- Core RDBMS (Zstandard): CVE-2019-11922
- Oracle Database (Perl Expat): CVE-2018-20843 and CVE-2019-15903
- Oracle Spatial and Graph (Apache Log4j): CVE-2020-9488
- Oracle Spatial and Graph (jackson-databind): CVE-2019-16943, CVE-2017-15095, CVE-2017-17485, CVE-2017-7525, CVE-2018-5968, CVE-2018-7489, CVE-2019-16942 and CVE-2019-17531
- Oracle Spatial and Graph MapViewer (jQuery): CVE-2020-11023, CVE-2019-11358 and CVE-2020-11022
- SQL Developer (Apache Batik): CVE-2018-8013 and CVE-2017-5662
- SQL Developer (Apache Log4j): CVE-2017-5645
- SQL Developer (Apache POI): CVE-2017-12626, CVE-2016-5000, CVE-2017-5644 and CVE-2019-12415
- SQL Developer (jackson-databind): CVE-2018-7489, CVE-2017-15095, CVE-2017-17485, CVE-2018-1000873, CVE-2018-11307, CVE-2018-12022, CVE-2018-5968, CVE-2019-12086, CVE-2019-12384, CVE-2019-12814, CVE-2019-16335, CVE-2019-20330 and CVE-2020-8840
- SQL Developer (JCraft JSch): CVE-2016-5725
- SQL Developer Install (Bouncy Castle): CVE-2019-17359, CVE-2016-1000338, CVE-2016-1000339, CVE-2016-1000340, CVE-2016-1000341, CVE-2016-1000342, CVE-2016-1000343, CVE-2016-1000344, CVE-2016-1000345, CVE-2016-1000346, CVE-2016-1000352, CVE-2017-13098, CVE-2018-1000180, CVE-2018-1000613 and CVE-2018-5382
Oracle Database Server Client-Only Installations
- The following Oracle Database Server vulnerability included in this Critical Patch Update affects client-only installations: CVE-2020-14740.
最后修改时间:2021-01-20 09:31:31
「喜欢这篇文章,您的关注和赞赏是给作者最好的鼓励」
关注作者
【版权声明】本文为墨天轮用户原创内容,转载时必须标注文章的来源(墨天轮),文章链接,文章作者等基本信息,否则作者和墨天轮有权追究责任。如果您发现墨天轮中有涉嫌抄袭或者侵权的内容,欢迎发送邮件至:contact@modb.pro进行举报,并提供相关证据,一经查实,墨天轮将立刻删除相关内容。
文章被以下合辑收录
评论
相关阅读
Oracle DataGuard高可用性解决方案详解
孙莹
573次阅读
2025-03-26 23:27:33
Oracle RAC 一键安装翻车?手把手教你如何排错!
Lucifer三思而后行
533次阅读
2025-04-15 17:24:06
【纯干货】Oracle 19C RU 19.27 发布,如何快速升级和安装?
Lucifer三思而后行
436次阅读
2025-04-18 14:18:38
XTTS跨版本迁移升级方案(11g to 19c RAC for Linux)
zwtian
430次阅读
2025-04-08 09:12:48
墨天轮个人数说知识点合集
JiekeXu
428次阅读
2025-04-01 15:56:03
【ORACLE】记录一些ORACLE的merge into语句的BUG
DarkAthena
427次阅读
2025-04-22 00:20:37
Oracle SQL 执行计划分析与优化指南
Digital Observer
426次阅读
2025-04-01 11:08:44
【ORACLE】你以为的真的是你以为的么?--ORA-38104: Columns referenced in the ON Clause cannot be updated
DarkAthena
405次阅读
2025-04-22 00:13:51
Oracle数据库一键巡检并生成HTML结果,免费脚本速来下载!
陈举超
391次阅读
2025-04-20 10:07:02
Oracle 19c RAC更换IP实战,运维必看!
szrsu
365次阅读
2025-04-08 23:57:08
