CVE-2020-2735

Name of the Vulnerable Software and Affected Versions Oracle Database Server versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c

Description The issue is related to insufficient access control in the Java VM component of Oracle Database Server. It can be exploited by a remote attacker to gain full control over the application using the Oracle Net network protocol. The exploitation is difficult and requires a low-privileged attacker with Create Session privilege and network access via Oracle Net. Successful attacks need human interaction from someone other than the attacker and can significantly impact additional products, potentially leading to a takeover of the Java VM.

Recommendations For versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c, consider restricting access to the Java VM component to minimize the risk of exploitation until a patch is available. As a temporary workaround, consider disabling the Create Session privilege for low-privileged attackers to reduce the risk of compromise. Restrict network access via Oracle Net to minimize the potential for remote exploitation.