Shulou(Shulou.com)05/31 Report--

This article mainly explains "how to understand CVE security vulnerabilities". The explanation content in this article is simple and clear, easy to learn and understand. Please follow the ideas of Xiaobian slowly and deeply to study and learn "how to understand CVE security vulnerabilities" together!

Oracle Database Server Risk Matrix contains a security patch described by the following statement

This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.

This vulnerability can be exploited remotely without authentication, for example. Can be exploited over the network without user credentials

This vulnerability is remotely exploitable without authentication

This vulnerability can be exploited remotely without authentication.

Without authentication, there is no authority, such as no DBA authority but only Create Session authority, which may bypass normal authorization and obtain DBA authority.

That is, it can bypass normal user identity or authority authentication, so it is a vulnerability.

For example, users with only query permissions can add, delete, and modify data, which is very dangerous.

For example, when a user only has EXECUTE_CATALOG_ROLE permission, the user can obtain DBA permission because of sql injection.

CVE# Component Package and/or Privilege Required

CVE-2018-2939 Core RDBMS Local Logon

CVE-2018-2841 Java VM Create Session, Create Procedure

CVE-2018-3004 Java VM Create Session, Create Procedure

CVE-2018-3004 and CVE-2018-2841, a user with only Create Session, Create Procedure permission may bypass normal permission operations and obtain higher permissions.

That is to say, if a user password is stolen or someone else uses this account, others can use this vulnerability to improve the user's permissions and then do bad things.

Thank you for reading, the above is the content of "how to understand CVE security vulnerability", after the study of this article, I believe everyone has a deeper understanding of how to understand CVE security vulnerability, the specific use of the situation still needs to be verified by practice. Here is, Xiaobian will push more articles related to knowledge points for everyone, welcome to pay attention!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.