Eddie Zhu

**Name of the Vulnerable Software and Affected Versions** Oracle Database Server version 19c **Description** The issue affects the Oracle Database - Advanced Queuing component, allowing a high-privileged attacker with DBA user privilege and network access via Oracle Net to compromise it. Successful attacks can result in the takeover of Oracle Database - Advanced Queuing. **Recommendations** For Oracle Database Server version 19c, update to a version that includes the fix for this issue to prevent potential exploitation.

**Name of the Vulnerable Software and Affected Versions** Oracle Database - Enterprise Edition Recovery (affected versions not specified) **Description** A vulnerability in the Oracle Database - Enterprise Edition Recovery component allows a high-privileged attacker with EXECUTE ON DBMS IR.EXECUTESQLSCRIPT privilege and network access via Oracle Net to compromise the Oracle Database - Enterprise Edition Recovery. Successful attacks can result in the takeover of the Oracle Database - Enterprise Edition Recovery. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle Database Server versions 12.1.0.2, 12.2.0.1 and 19c **Description** The issue affects the Oracle LogMiner component, allowing a high-privileged attacker with DBA privilege and network access via Oracle Net to compromise Oracle LogMiner. This can result in unauthorized creation, deletion, or modification access to critical data, as well as unauthorized read access to a subset of Oracle LogMiner accessible data. Additionally, it can cause a hang or frequently repeatable crash of Oracle LogMiner. **Recommendations** For version 12.1.0.2, update to a version that includes the fix for this issue. For version 12.2.0.1, update to a version that includes the fix for this issue. For version 19c, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the Oracle LogMiner component to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Oracle Database Server versions 12.1.0.2, 12.2.0.1 and 19c **Description** The issue exists due to insufficient input validation in the Oracle Text component of Oracle Database Server. This allows a remote attacker to execute arbitrary code using the Oracle Net protocol. The vulnerability can be easily exploited by a high-privileged attacker with Create Any Procedure, Alter Any Table privilege and network access via Oracle Net, potentially resulting in the takeover of Oracle Text. **Recommendations** For version 12.1.0.2, update to a version that includes the fix for this issue. For version 12.2.0.1, update to a version that includes the fix for this issue. For version 19c, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the Oracle Text component until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Java SE version 7u301 **Description** The issue is related to the JNDI component and can be exploited by an unauthenticated attacker with network access via multiple protocols, potentially leading to a partial denial of service (DOS) of Java SE. This vulnerability applies to Java deployments that load and run untrusted code and rely on the Java sandbox for security. It can also be exploited through APIs in the specified component, for example, via a web service supplying data to the APIs. **Recommendations** For Java SE version 7u301, consider disabling the JNDI component or restricting its use until a patch is available. As a temporary workaround, avoid using APIs in the JNDI component that may be vulnerable to exploitation. Restrict access to web services that supply data to the JNDI APIs to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle Database Server versions 12.1.0.2 through 19c **Description** The issue is related to insufficient input validation in the Oracle XML DB component, allowing a high-privileged attacker with network access via Oracle Net to compromise Oracle XML DB. Successful attacks can result in the takeover of Oracle XML DB. The attacker must have Create Any Procedure and Create Public Synonym privileges. **Recommendations** For versions 12.1.0.2, 12.2.0.1, and 19c, update to a version that includes the fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle Database Server versions 12.1.0.2, 12.2.0.1 and 19c **Description** The issue is related to insufficient input validation in the Oracle XML DB component. It allows a high-privileged attacker with Create Any Procedure, Create Public Synonym privilege and network access via Oracle Net to compromise Oracle XML DB, potentially leading to a takeover. The vulnerability can be exploited remotely. **Recommendations** For version 12.1.0.2, update to a version that includes the fix for this issue. For version 12.2.0.1, update to a version that includes the fix for this issue. For version 19c, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the Oracle XML DB component until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Oracle Database Server versions 12.1.0.2 through 19c **Description** The issue is related to insufficient input validation in the Oracle XML DB component, allowing a high-privileged attacker with Alter User privilege and network access via Oracle Net to compromise Oracle XML DB. This can result in unauthorized access to critical data or complete access to all Oracle XML DB accessible data. **Recommendations** For versions 12.1.0.2, 12.2.0.1, and 19c, update to a version that includes the fix for this issue to prevent exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) version 11.5 **Description** The issue is caused by a race condition of a symbolic link, allowing a local user to access and change the configuration of Db2. It is also described as being due to synchronization errors when using a shared resource, which could enable an attacker to modify the DB2 configuration. **Recommendations** For IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) version 11.5, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Oracle Database Server versions 12.1.0.2, 12.2.0.1, 18c, and 19c Description: The issue exists due to insufficient input validation in the RDBMS Scheduler component of Oracle Database Server, allowing a remote attacker to execute arbitrary code by sending specially crafted network packets. This can result in the takeover of the RDBMS Scheduler. A low-privileged attacker with Export Full Database privilege and network access via Oracle Net can exploit this issue. Recommendations: For versions 12.1.0.2, 12.2.0.1, 18c, and 19c, update to a version that includes the fix for this issue to prevent exploitation. As a temporary workaround, consider restricting network access via Oracle Net to minimize the risk of exploitation. Restrict the Export Full Database privilege to prevent low-privileged attackers from exploiting the vulnerability.

Name of the Vulnerable Software and Affected Versions: Oracle Database Server versions 12.2.0.1, 18c, 19c Description: The issue is related to the RDBMS Sharding component of Oracle Database Server, where an easily exploitable vulnerability allows a high-privileged attacker with network access via Oracle Net to compromise RDBMS Sharding. This can result in the takeover of RDBMS Sharding. The vulnerability is associated with inadequate access control and can be exploited by an attacker with Create Any Procedure, Create Any View, Create Any Trigger privilege. Recommendations: For versions 12.2.0.1, 18c, and 19c, consider restricting access to the RDBMS Sharding component until a patch is available. As a temporary workaround, limit the privileges of users with Create Any Procedure, Create Any View, Create Any Trigger privilege to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Oracle Database Server versions 11.2.0.4, 12.1.0.2, 12.2.0.1 Description: The issue is related to insufficient input validation in the Database Filesystem component. It allows a high-privileged attacker with specific privileges, including Resource, Create Table, Create View, Create Procedure, Dbfs role, and network access via Oracle Net, to compromise the Database Filesystem. Successful attacks can result in the unauthorized ability to cause a hang or frequently repeatable crash of the Database Filesystem, leading to a denial of service. The vulnerability can be exploited remotely. Recommendations: For version 11.2.0.4, update to a version that includes the fix for this issue. For version 12.1.0.2, update to a version that includes the fix for this issue. For version 12.2.0.1, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the Database Filesystem component to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) versions 9.7, 10.1, 10.5, 11.1, and 11.5 **Description** The issue is caused by synchronization errors when using a shared resource, potentially allowing an attacker to gain unauthorized access to protected information. A local user could obtain sensitive information using a race condition of a symbolic link. **Recommendations** For versions 9.7, 10.1, 10.5, 11.1, and 11.5, consider restricting access to the symbolic link to minimize the risk of exploitation until a patch is available. As a temporary workaround, consider disabling the use of symbolic links in the affected DB2 versions until the issue is resolved. Avoid using the affected DB2 versions for sensitive information storage until the vulnerability is fixed.

**Name of the Vulnerable Software and Affected Versions** IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) versions 9.7, 10.1, 10.5, 11.1, and 11.5 **Description** The issue is caused by improper bounds checking, leading to a buffer overflow. This could allow a local attacker to execute arbitrary code on the system with root privileges. The vulnerability is related to insufficient size checking of copied data. **Recommendations** For versions 9.7, 10.1, 10.5, 11.1, and 11.5, update to a version that includes the fix for the buffer overflow issue. As a temporary workaround, consider restricting access to the system to minimize the risk of exploitation. Avoid using the system with root privileges until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle Database versions 12.1.0.2 through 19c **Description** The issue exists due to insufficient input validation in the Core RDBMS component of Oracle Database. Exploitation of this issue may allow an attacker to impact data integrity or cause a partial denial of service. Successful attacks require human interaction from a person other than the attacker and can result in unauthorized access to modify data or cause a partial denial of service. **Recommendations** For versions 12.1.0.2, 12.2.0.1, 18c, and 19c, update to a version that includes the fix for this issue to prevent exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle Database Server versions 12.1.0.2, 12.2.0.1, 18c, 19c **Description** The issue is related to insufficient access control in the Oracle Applications DBA component, allowing a low-privileged attacker with local logon privilege to compromise Oracle Applications DBA. Successful attacks require human interaction from a person other than the attacker and can result in unauthorized access to modify, add, or delete data, as well as cause a partial denial of service. **Recommendations** For versions 12.1.0.2, 12.2.0.1, 18c, and 19c, consider restricting access to the Oracle Applications DBA component to minimize the risk of exploitation until a patch is available. As a temporary workaround, consider disabling any functionality that relies on local logon privileges to the infrastructure where Oracle Applications DBA executes. Restrict access to sensitive data and monitor for any unauthorized changes or denial of service attempts. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle Applications DBA versions 11.2.0.4 through 19c **Description** The issue is related to insufficient access control in the Oracle Applications DBA component of Oracle Database Server. Exploitation of this issue can allow an attacker to modify, add, or delete data, or cause a denial of service. The vulnerability can be easily exploited by a low-privileged attacker with local logon privilege to the infrastructure where Oracle Applications DBA executes. Successful attacks require human interaction from a person other than the attacker and can result in unauthorized access to some of Oracle Applications DBA accessible data and a partial denial of service. **Recommendations** For versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, and 19c, consider restricting access to the Oracle Applications DBA component to minimize the risk of exploitation until a patch is available. As a temporary workaround, limit local logon privileges to the infrastructure where Oracle Applications DBA executes. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) versions 9.7, 10.1, 10.5, and 11.1 **Description** The issue is a buffer overflow that could allow an authenticated local attacker to execute arbitrary code on the system as root. **Recommendations** For versions 9.7, 10.1, 10.5, and 11.1, update to a version that includes the fix for this issue to prevent exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** IBM DB2 versions 9.7 through 11.1 **Description** The issue is caused by improper bounds checking, leading to a stack-based buffer overflow in the libdb2e.so.1 library. This could allow an attacker to execute arbitrary code. **Recommendations** For IBM DB2 versions 9.7 through 11.1, update to a version that includes the fix for the buffer overflow issue in the libdb2e.so.1 library.

**Name of the Vulnerable Software and Affected Versions** IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) versions 9.7, 10.1, 10.5, and 11.1 **Description** The issue is a buffer overflow that could allow an authenticated local attacker to execute arbitrary code on the system as root. **Recommendations** For versions 9.7, 10.1, 10.5, and 11.1, update to a version that includes the fix for this issue to prevent exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.