Oracle 4月20日发布了4月的Critical Patch Update,官方强烈建议尽快应用补丁,下面我们来看下与数据库有关的风险矩阵:
数据库产品风险矩阵
与数据库相关的安全补丁共有18个,分别如下:
- 10 new security patches for Oracle Database Products
- 1 new security patch for Oracle Global Lifecycle Management
- No new security patches for Oracle Graph Server and Client, but third party patches are provided
- 4 new security patches for Oracle NoSQL Database
- 1 new security patch for Oracle REST Data Services
- No new security patches for Oracle Secure Backup, but third party patches are provided
- 2 new security patches for Oracle Spatial Studio
- No new security patches for Oracle TimesTen In-Memory Database, but third party patches are provided
Oracle数据库风险矩阵
共有10个安全补丁与Oracle数据库有关,其中4个无需身份认证即可远程利用(不需要用户密码即可利用),另外这个安全补丁仅不适用于客户端程序,详细列表如下:
CVE# | Component | Package and/or Privilege Required | Protocol | Remote Exploit without Auth.? | Supported Versions Affected | Notes | Base Score | Attack Vector | Attack Complex | Privs Req’d | User Interact | Scope | Confid-entiality | Inte-grity | Avail-ability |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
CVE-2020-5360 | Oracle Database - Enterprise Edition Security (Dell BSAFE Micro Edition Suite) | None | Multiple | Yes | 7.5 | Network | Low | None | None | Un-changed | None | None | High | 12.1.0.2, 12.2.0.1, 18c, 19c | |
CVE-2020-17527 | Workload Manager (Apache Tomcat) | None | HTTP | Yes | 7.5 | Network | Low | None | None | Un-changed | High | None | None | 18c, 19c | |
CVE-2019-3740 | Oracle Database - Enterprise Edition (Dell BSAFE Crypto-J) | None | Oracle Net | Yes | 6.5 | Network | Low | None | Required | Un-changed | High | None | None | 12.1.0.2, 12.2.0.1, 18c, 19c | |
CVE-2020-11023 | Oracle Application Express (jQuery) | None | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | Prior to 20.2 | |
CVE-2021-2234 | Java VM | Create Session | Oracle Net | No | 5.3 | Network | High | Low | None | Un-changed | None | High | None | 12.1.0.2, 12.2.0.1, 18c, 19c | |
CVE-2020-7760 | Oracle Application Express (CodeMirror) | Valid User Account | HTTP | No | 4.3 | Network | Low | Low | None | Un-changed | None | None | Low | Prior to 20.2 | |
CVE-2021-2173 | Recovery | DBA Level Account | Oracle Net | No | 4.1 | Network | Low | High | None | Changed | Low | None | None | 12.1.0.2, 12.2.0.1, 18c, 19c | |
CVE-2021-2175 | Database Vault | Create Any View, Select Any View | Oracle Net | No | 2.7 | Network | Low | High | None | Un-changed | Low | None | None | 12.1.0.2, 12.2.0.1, 18c, 19c | |
CVE-2021-2245 | Oracle Database - Enterprise Edition Unified Audit | Create Audit Policy | Oracle Net | No | 2.7 | Network | Low | High | None | Un-changed | None | Low | None | 18c,19c | |
CVE-2021-2207 | Oracle Database - Enterprise Edition | RMAN executable | Local Logon | No | 2.3 | Local | Low | High | None | Un-changed | None | Low | None | 12.1.0.2, 12.2.0.1, 18c, 19c |
补充说明:
CVE-2019-3740的补丁包含了CVE-2019-3738和CVE-2019-3739
CVE-2020-11023的补丁包含了CVE-2019-11358和CVE-2020-11022.
CVE-2020-17527的补丁包含了CVE-2020-13943和CVE-2020-9484.
CVE-2020-5360的补丁包含了CVE-2020-5359.
最后修改时间:2021-04-21 10:28:03
「喜欢这篇文章,您的关注和赞赏是给作者最好的鼓励」
关注作者
【版权声明】本文为墨天轮用户原创内容,转载时必须标注文章的来源(墨天轮),文章链接,文章作者等基本信息,否则作者和墨天轮有权追究责任。如果您发现墨天轮中有涉嫌抄袭或者侵权的内容,欢迎发送邮件至:contact@modb.pro进行举报,并提供相关证据,一经查实,墨天轮将立刻删除相关内容。