暂无图片
暂无图片
暂无图片
暂无图片
暂无图片
首页 / 干货 | Oracle数据库关于CVE-2018-3110安全漏洞的预警及修复建议

干货 | Oracle数据库关于CVE-2018-3110安全漏洞的预警及修复建议

东方龙马 2018-11-23
2611
郭大瑞 | 东方龙马(OLM)·上海



01

漏洞描述

该漏洞是数据库中JAVA VM组件的漏洞,可通过数据库提权最终获取系统控制权,危害较大。CVE-2018-3110 需要一个数据库用户,具备最基本的CREATE SESSION,也就是说能够创建会话连接到数据库。然后基于对于公共 JAVA 对象的访问,获得权限提升,直至全部控制数据库。CVE-2018-3110 影响范围是所有当前在支持的数据库版本。



02

漏洞概述

近日,Oracle官方发布了安全通告,Oracle数据库服务器Java虚拟机(JVM)组件中存在的提权漏洞(CVE-2018-3110),此漏洞与Oracle官方7月份关键补丁更新(CPU)中修补的提权漏洞(CVE-2018-3004)同源,是该漏洞的升级版。攻击者只需通过认证后连接到数据库,即可控制Java虚拟机,并基于其对JAVA 对象的公共访问授权,完成提权,进而控制全部数据库。

官方英文描述:

This Security Alert addresses an Oracle Database vulnerability in versions 11.2.0.4 and 12.2.0.1 on Windows. CVE-2018-3110 has a CVSS v3 base score of 9.9, and can result in complete compromise of the Oracle Database and shell access to the underlying server. CVE-2018-3110 also affects Oracle Database version 12.1.0.2 on Windows as well as Oracle Database on Linux and Unix, however patches for those versions and platforms were included in the July 2018 CPU.


If you are running Oracle Database versions 11.2.0.4 and 12.2.0.1 on Windows, please apply the patches indicated below. If you are running version 12.1.0.2 on Windows or any version of the database on Linux or Unix and have not yet applied the July 2018 CPU, please do so.



03

漏洞风险等级

影响数据库版本信息

受支持的数据库版本(11.2.0.4及以上):

Window系统下,11.2.0.4/12.2.0.1等版本(包括已安装7月份升级补丁(CPU)的产品),已安装7月份升级补丁(CPU)的12.1.0.2版本数据库产品则不受此漏洞影响。


对于不受支持的数据库版本:

对于低于11.2.0.4的版本,如11.2.0.3 Oracle已经不再提供补丁支持,争对该问题无法通过应用patch方式修复。



04

修复方式

1.此次问题组件为数据库中的JAVA VM,该组件一般并未使用,可以通过禁用该组件中的相关权限来达到修复的目的。


2.对于仍在支持版本范围的数据库,可通过应用最新PSU/Combo OJVM PSU 等方式修复相关问题。



05

排查及修复步骤

1) 检查数据库版本及PSU安装情况

select * from v$version

opatch  lsinv


2) 检查当前JAVA  VM组件情况

检查脚本如下:

column comp_name format a30

column version format a20

column status format a15

column owner format a30

column object_name format a30

column object_type format a15

column long_name format a75

column role format a40

column act_time format a24

column action format a15

column comments format a20

set pagesize 500

set linesize 150

set trimspool on

set serveroutput on

set echo on

spool jvm_info.log

------ REGISTRY INFO ------

SELECT SUBSTR(comp_name, 1, 30) comp_name, SUBSTR(version, 1, 20) version, status 

FROM dba_registry

ORDER BY comp_name;

------ REGISTRY HISTORY -------

SELECT TO_CHAR(action_time, 'DD-MON-YYYY HH24:MI:SS') act_time, action, version, id, comments

FROM dba_registry_history

ORDER BY action_time DESC;

------ JAVA OBJECT INFO ------

-- Are there a substantial number of VALID Java objects in SYS?

SELECT owner, object_type, status, COUNT(*)

FROM dba_objects

WHERE object_type LIKE '%JAVA%'

GROUP BY owner, object_type, status

ORDER BY owner, object_type, status;

-- Is the DBMS_JAVA package VALID?

SELECT owner, object_name, object_type, status

FROM dba_objects

WHERE object_name LIKE 'DBMS_JAVA%'

OR object_name LIKE '%INITJVMAUX%'

ORDER BY owner, object_name, object_type;

-- Are there any INVALID Java objects in SYS?

SELECT owner, NVL(longdbcs,object_name) long_name, object_type, status

FROM dba_objects, sys.javasnm$

WHERE object_type LIKE '%JAVA%'

AND status <> 'VALID'

AND short (+) = object_name

ORDER BY owner, long_name, object_type;

------ JAVA ROLE INFO ------

-- The number expected varies by release.

SELECT role

FROM dba_roles

WHERE role LIKE '%JAVA%'

ORDER BY role;

------ MEMORY INFO ------

SELECT *

FROM v$sgastat

WHERE pool = 'java pool' OR name = 'free memory'

ORDER BY pool, name;

------ DATABASE PARAMETER INFO ------

show parameter pool_size

show parameter target

show parameter sga

------ TEST JAVAVM USAGE (and return the JDK version if > 11g) ------

-- Calling routines in DBMS_JAVA will invoke the JavaVM and expose certain problems.

SET SERVEROUTPUT ON

DECLARE

 v


如果数据库中并未安装JAVA VM组件,则无需其他操作。


3) 11.2.0.4及以上版本修复方法

需要PATCH

Database PSU 11.2.0.4.180717 Patch 27734982

GI PSU 11.2.0.4.180717 Patch 27967757

Oracle JavaVM (OJVM) Component Database PSU 11.2.0.4.180717 Patch 27923163


应用补丁步骤示例

应用PSU

Grid 用户解压缩补丁文件

unzip p27967757_112040_Linux-x86-64.zip

创建应答文件.

grid用户创建应答文件,执行emocmrsp

$ data/11.2.0.4/grid/OPatch/ocm/bin/emocmrsp

OCM Installation Response Generator 10.3.7.0.0 - Production

Copyright (c) 2005, 2012, Oracle and/or its affiliates.  All rights reserved.

Provide your email address to be informed of security issues, install and

initiate Oracle Configuration Manager. Easier for you if you use your My

Oracle Support Email address/User Name.

Visit http://www.oracle.com/support/policies.html for details.

Email address/User Name:

You have not provided an email address for notification of security issues.

Do you wish to remain uninformed of security issues ([Y]es, [N]o) [N]:  y

The OCM configuration response file (ocm.rsp) was successfully created.

将当前目录生成的ocm.rsp文件复制到/tmp目录下

$ cp ocm.rsp tmp/

修改补丁包权限

# chown -R grid:oinstall 27967757/

Root用户执行打PSU操作

进入补丁包目录

# cd 27967757/

开始打补丁,全程自动,无需额外操作操作.

为ORACLE_HOME打PSU.

# data/11.2.0.4/grid/OPatch/opatch auto -ocmrf tmp/ocm.rsp -oh data/oracle/product/11.2.0.4/dbhome_1/

opatch auto succeeded.

成功结束时会返回succeeded.

集群软件打PSU

# data/11.2.0.4/grid/OPatch/opatch auto -ocmrf tmp/ocm.rsp

………

opatch auto succeeded.

成功结束时会返回succeeded.


两个节点分别进行打补丁操作。

通过OPatch命令查询补丁情况。

$ORACLE_HOME/OPatch/opatch lspatches

$GRID_HOME/OPatch/opatch lspatches

 

打完补丁之后在数据库中执行后续操作。


### Replacing the Java system classes while database is up

cd $ORACLE_HOME/sqlpatch/#patch#

sqlplus nolog

SQL>connect as sysdba

SQL>@postinstall.sql

### verify patch

set lines 200

select comments, action,version, ID, action_time from dba_registry_history;

### If any packages are invalid

SELECT owner, object_name, object_type from dba_objects where status = 'INVALID'

### recompile the objects

SQL>@?/rdbms/admin/utlrp.sql


4) 低版本修复方法,如11.2.0.3版本

11.2.0.3版本数据库可通过禁用JAVA VM组件中相关权限修复此问题。

如该组件未使用,建议禁用。

需安装19721304 patch。


步骤如下:

Installation

-----------------

To install the patch, follow these steps:

1. Set your current directory to the directory where the patch is located and then run the OPatch utility by entering the following commands:

$ cd <PATCH_TOP_DIR>/19721304

$ opatch apply

2. Verify whether the patch has been successfully installed by running the following command:

$ opatch lsinventory

Postinstallation

----------------------

The following steps load modified SQL files into the database. Note: Perform these steps on each database in the ORACLE_HOME.

1.For each database instance running on the Oracle home being patched, connect to the database using SQL*Plus. Connect as SYSDBA and run the below script as follows:

$ sqlplus /nolog

SQL> CONNECT / AS SYSDBA

SQL> @?/sqlpatch/19721304/postinstall.sql

安装完成后执行禁用操作:

exec dbms_java_dev.disable;



06

总结和建议

1) 安装Patch方式:

在RAC集群环境,PATCH应用在集群环境下可以采取rolling方式进行,如JAVA VM组件在较重要的场景中使用,则建议停机执行postinstall.sql文件.

单机环境中需要停机进行补丁PSU安装。.

 

2) 禁用JAVA VM组件方式:

此次BUG修复的问题为JAVA VM组件的问题,如未安装该组件,则无需此问题,该组件使用情况并不多,在没有使用该组件的情况下,建议所有版本均通过以下命令禁用其使用.

exec dbms_java_dev.disable。




|  北京    |    上海    |   广州    |   成都    |


4008-906-960


oracle安全
文章转载自东方龙马,如果涉嫌侵权,请发送邮件至:contact@modb.pro进行举报,并提供相关证据,一经查实,墨天轮将立刻删除相关内容。

评论