Oracle于今日发布了最新的 CPU 安全预警,CPU 全名是 Critical Patch Update,每个季度发布一次,用于提醒用户那些安全相关的已知漏洞。
在这一期的CPU预警中,我们注意到大量的 CVE 来自一个即将登录 科创板的明星企业 - 奇安信(Qi’anxin),以下列表中列出的都是其共享的安全漏洞:
- r00t4dm from A-TEAM of Legendsec at Qi’anxin Group: CVE-2020-14636, CVE-2020-14637, CVE-2020-14638, CVE-2020-14639, CVE-2020-14640, CVE-2020-14645, CVE-2020-14652
- Zhongcheng Li (CK01) from Zero-dayits Team of Legendsec at Qi’anxin Group: CVE-2020-14711, CVE-2020-14712
- Ziming Zhang from Codesafe Team of Legendsec at Qi’anxin Group: CVE-2020-14707, CVE-2020-14714, CVE-2020-14715
- Ziming Zhang from Codesafe Team of Legendsec at Qi’anxin Group working with Trend Micro Zero Day Initiative: CVE-2020-14698, CVE-2020-14699, CVE-2020-14700
其中 r00t4dm 被 Oracle 认定为具有 “深度安全” 意义。
Oracle感谢那些为我们的“深度安全”计划做出贡献的人们。 如果人们提供与安全漏洞有关的信息,观察或建议,这些人会得到深度安全贡献,这些人会在未来的发行版中对Oracle代码或文档进行重大修改,但是其重要性不至于将其分发到 重要补丁更新。
当然这这一期中,还有很多中国企业的贡献者名字:
lufei of Tencent Force
本次发布共有 27 个和数据库相关的安全漏洞:
19 new security patches for Oracle Database Server.
3 new security patches for Oracle Berkeley DB.
1 new security patch for Oracle Global Lifecycle Management.
3 new security patches for Oracle GoldenGate.
1 new security patch for Oracle TimesTen In-Memory Database.
重点关注一下 Oracle Database 产品。其中的主要漏洞是和各类组件相关,大多数用户无需关注。其中最核心的一个漏洞是 CVE-2016-9843 是和Core RDBMS (zlib) 相关,只影响到 18c 版本。
以下是DB相关列表,供参考:
| CVE# | Component | Package and/or Privilege Required | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complex |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2016-1000031 | MapViewer (Apache Commons FileUpload) | Valid User Account | HTTP | No | 8.8 | Network | Low | Low | None | Un- changed |
High | High | High | 12.2.0.1, 18c, 19c | See Note 1 |
| CVE-2020-2968 | Java VM | Create Session, Create Procedure | Multiple | No | 8.0 | Network | High | Low | Required | Changed | High | High | High | 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c | |
| CVE-2016-9843 | Core RDBMS (zlib) | Create Session | Oracle Net | No | 7.2 | Network | Low | High | None | Un- changed |
High | High | High | 18c | |
| CVE-2020-2969 | Data Pump | DBA role account | Oracle Net | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c | |
| CVE-2020-8112 | GeoRaster (OpenJPG) | Create Session | Oracle Net | No | 5.7 | Network | Low | Low | Required | Un- changed |
None | None | High | 18c | |
| CVE-2020-2513 | Oracle Application Express | SQL Workshop | HTTP | No | 5.4 | Network | Low | Low | Required | Changed | Low | Low | None | 5.1-19.2 | |
| CVE-2020-2971 | Oracle Application Express | SQL Workshop | HTTP | No | 5.4 | Network | Low | Low | Required | Changed | Low | Low | None | 5.1-19.2 | |
| CVE-2020-2972 | Oracle Application Express | SQL Workshop | HTTP | No | 5.4 | Network | Low | Low | Required | Changed | Low | Low | None | 5.1-19.2 | |
| CVE-2020-2973 | Oracle Application Express | SQL Workshop | HTTP | No | 5.4 | Network | Low | Low | Required | Changed | Low | Low | None | 5.1-19.2 | |
| CVE-2020-2974 | Oracle Application Express | SQL Workshop | HTTP | No | 5.4 | Network | Low | Low | Required | Changed | Low | Low | None | 5.1-19.2 | |
| CVE-2020-2976 | Oracle Application Express | SQL Workshop | HTTP | No | 5.4 | Network | Low | Low | Required | Changed | Low | Low | None | 5.1-19.2 | |
| CVE-2020-2975 | Oracle Application Express | SQL Workshop | HTTP | No | 5.4 | Network | Low | Low | Required | Changed | Low | Low | None | 5.1-19.2 | |
| CVE-2019-17569 | Workload Manager (Apache Tomcat) | None | HTTP | Yes | 4.8 | Network | High | None | None | Un- changed |
Low | Low | None | 12.2.0.1, 18c, 19c | |
| CVE-2020-2977 | Oracle Application Express | Valid User Account | HTTP | No | 4.6 | Network | Low | Low | Required | Un- changed |
Low | Low | None | 5.1-19.2 | |
| CVE-2020-2978 | Oracle Database - Enterprise Edition | DBA role account | Oracle Net | No | 4.1 | Network | Low | High | None | Changed | None | Low | None | 12.1.0.2, 12.2.0.1, 18c, 19c | |
| CVE-2019-13990 | MapViewer (Terracotta Quartz Scheduler, Apache Batik, Google Guava) | Local Logon | None | No | 0.0 | Local | Low | Low | Required | Un- changed |
None | None | None | 12.2.0.1, 18c, 19c | See Note 2 |
| CVE-2018-18314 | Oracle Database (Perl) | Local Logon | None | No | 0.0 | Local | High | High | None | Un- changed |
None | None | None | 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c | See Note 3 |
| CVE-2019-10086 | Spatial Studio (Apache Commons Beanutils) | Local Logon | None | No | 0.0 | Local | Low | Low | None | Un- changed |
None | None | None | Spatial Studio: Prior to 19.2.1 | See Note 4 |
| CVE-2019-16943 | TFA (jackson-databind) | Local Logon | None | No | 0.0 | Local | High | High | None | Un- changed |
None | None | None | 12.2.0.1, 18c, 19c | See Note 5 |
最后修改时间:2020-07-20 09:50:26
「喜欢这篇文章,您的关注和赞赏是给作者最好的鼓励」
关注作者
【版权声明】本文为墨天轮用户原创内容,转载时必须标注文章的来源(墨天轮),文章链接,文章作者等基本信息,否则作者和墨天轮有权追究责任。如果您发现墨天轮中有涉嫌抄袭或者侵权的内容,欢迎发送邮件至:contact@modb.pro进行举报,并提供相关证据,一经查实,墨天轮将立刻删除相关内容。
