CVE-2020-2734

Name of the Vulnerable Software and Affected Versions Oracle Database Server versions 12.1.0.2, 12.2.0.1, 18c, and 19c

Description The issue is related to the RDBMS/Optimizer component of Oracle Database Server, where an easily exploitable vulnerability allows a high-privileged attacker with Execute on DBMS SQLTUNE privilege and network access via Oracle Net to compromise RDBMS/Optimizer. Successful attacks require human interaction from a person other than the attacker and can result in unauthorized read access to a subset of RDBMS/Optimizer accessible data. The vulnerability is associated with inadequate access control.

Recommendations For versions 12.1.0.2, 12.2.0.1, 18c, and 19c, consider restricting access to the DBMS SQLTUNE privilege to minimize the risk of exploitation. As a temporary workaround, limit network access via Oracle Net to reduce the attack surface. Avoid relying on human interaction that may facilitate successful attacks, and implement additional security measures to protect against unauthorized read access. At the moment, there is no information about a newer version that contains a fix for this vulnerability.