
Preface: Computer system vulnerability wreak havoc, IT life not easy!
Background: Oracle’s revolutionary cloud database features autopilot, self-protection, and self-healing capabilities designed to eliminate error-prone manual data management. But the Core RDBMS vulnerability still exists!
Security focus – CVE-2019-2444:
Since it did not provide the details. We supculated that even if you revoke the CREATE SESSION privilege from a user they would still be able to log in to the database by using a ROLE that has this privilege.
For instance:
DB contains a role with the create session privilege:
SQL> CREATE ROLE hidden_privileges;
SQL> GRANT create session TO hidden_privileges;
schema/batch user
SQL> CREATE USER user1 IDENTIFIED BY admin;
SQL> GRANT create session TO user1;
If someone has an alternative way for connecting to the database
SQL> GRANT hidden_privileges TO user1;
Then vulnerability occurs.
For remaining vulnerabilities, please refer official announcement. https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html