CVE-2017-3310 - OpenCVE

Vulnerability in the OJVM component of Oracle Database Server. Supported versions that are affected are 11.2.0.4 and 12.1.0.2. Easily exploitable vulnerability allows low privileged attacker having Create Session, Create Procedure privilege with network access via multiple protocols to compromise OJVM. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in OJVM, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of OJVM. CVSS v3.0 Base Score 9.0 (Confidentiality, Integrity and Availability impacts).

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:S/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Oracle	Database

Configuration 1 [-]

OR	cpe:2.3:a:oracle:database:11.2.0.4:::::::*
	cpe:2.3:a:oracle:database:12.1.0.2:::::::*

No data.

References

Link	Providers
http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html
http://www.securityfocus.com/bid/95481
http://www.securitytracker.com/id/1037630

History

No history.

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2017-01-27T22:01:00

Updated: 2024-08-05T14:23:33.721Z

Reserved: 2016-12-06T00:00:00

Link: CVE-2017-3310

Vulnrichment

No data.

NVD

Status : Modified

Published: 2017-01-27T22:59:04.287

Modified: 2017-07-26T01:29:04.853

Link: CVE-2017-3310

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Oracle Database", "vendor": "Oracle", "versions": [{"status": "affected", "version": "11.2.0.4"}, {"status": "affected", "version": "12.1.0.2"}]}], "datePublic": "2017-01-17T00:00:00", "descriptions": [{"lang": "en", "value": "Vulnerability in the OJVM component of Oracle Database Server. Supported versions that are affected are 11.2.0.4 and 12.1.0.2. Easily exploitable vulnerability allows low privileged attacker having Create Session, Create Procedure privilege with network access via multiple protocols to compromise OJVM. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in OJVM, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of OJVM. CVSS v3.0 Base Score 9.0 (Confidentiality, Integrity and Availability impacts)."}], "problemTypes": [{"descriptions": [{"description": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-07-25T09:57:01", "orgId": "43595867-4340-4103-b7a2-9a5208d29a85", "shortName": "oracle"}, "references": [{"name": "95481", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/95481"}, {"name": "1037630", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1037630"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert_us@oracle.com", "ID": "CVE-2017-3310", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Oracle Database", "version": {"version_data": [{"version_value": "11.2.0.4"}, {"version_value": "12.1.0.2"}]}}]}, "vendor_name": "Oracle"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Vulnerability in the OJVM component of Oracle Database Server. Supported versions that are affected are 11.2.0.4 and 12.1.0.2. Easily exploitable vulnerability allows low privileged attacker having Create Session, Create Procedure privilege with network access via multiple protocols to compromise OJVM. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in OJVM, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of OJVM. CVSS v3.0 Base Score 9.0 (Confidentiality, Integrity and Availability impacts)."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"}]}]}, "references": {"reference_data": [{"name": "95481", "refsource": "BID", "url": "http://www.securityfocus.com/bid/95481"}, {"name": "1037630", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1037630"}, {"name": "http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T14:23:33.721Z"}, "title": "CVE Program Container", "references": [{"name": "95481", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/95481"}, {"name": "1037630", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1037630"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html"}]}]}, "cveMetadata": {"assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85", "assignerShortName": "oracle", "cveId": "CVE-2017-3310", "datePublished": "2017-01-27T22:01:00", "dateReserved": "2016-12-06T00:00:00", "dateUpdated": "2024-08-05T14:23:33.721Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:database:11.2.0.4:*:*:*:*:*:*:*", "matchCriteriaId": "5100F5C8-D5F8-466B-AABE-E42B3770B39D", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:database:12.1.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "1F3C58EE-B36B-4081-A307-0FE9B52D8E62", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Vulnerability in the OJVM component of Oracle Database Server. Supported versions that are affected are 11.2.0.4 and 12.1.0.2. Easily exploitable vulnerability allows low privileged attacker having Create Session, Create Procedure privilege with network access via multiple protocols to compromise OJVM. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in OJVM, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of OJVM. CVSS v3.0 Base Score 9.0 (Confidentiality, Integrity and Availability impacts)."}, {"lang": "es", "value": "Vulnerabilidad en el componente OJVM de Oracle Database Server. Versiones compatibles que estan afectadas son 11.2.0.4 y 12.1.0.2. Vulnerabilidad f\u00e1cilmente explotable permite a un atacante poco privilegiado poseedor de privilegio Create Session, Create Procedure con acceso a la red a trav\u00e9s de m\u00faltiples protocolos, comprometer OJVM. Ataques exitosos requieren interacci\u00f3n humana de una persona distinta del atacante y mientras la vulnerabilidad est\u00e9 en OJVM, los ataques podr\u00edan afectar significativamente a productos adicionales. Ataques exitosos de esta vulnerabilidad pueden resultar en la toma de control de OJVM. CVSS v3.0 Base Score 9.0 (Impactos de Integridad, Confidencialidad y Disponibilidad)."}], "id": "CVE-2017-3310", "lastModified": "2017-07-26T01:29:04.853", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-01-27T22:59:04.287", "references": [{"source": "secalert_us@oracle.com", "tags": ["Patch", "Vendor Advisory"], "url": "http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html"}, {"source": "secalert_us@oracle.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/95481"}, {"source": "secalert_us@oracle.com", "url": "http://www.securitytracker.com/id/1037630"}], "sourceIdentifier": "secalert_us@oracle.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}