Security Focus – Critical Path Update contains 3 new security fixes for the Oracle Database Server – 15th Jan 2019

Preface: Computer system vulnerability wreak havoc, IT life not easy!

Background: Oracle’s revolutionary cloud database features autopilot, self-protection, and self-healing capabilities designed to eliminate error-prone manual data management. But the Core RDBMS vulnerability still exists!

Security focus – CVE-2019-2444:
Since it did not provide the details. We supculated that even if you revoke the CREATE SESSION privilege from a user they would still be able to log in to the database by using a ROLE that has this privilege.

For instance:
DB contains a role with the create session privilege:
SQL> CREATE ROLE hidden_privileges;
SQL> GRANT create session TO hidden_privileges;

schema/batch user
SQL> GRANT create session TO user1;

If someone has an alternative way for connecting to the database
SQL> GRANT hidden_privileges TO user1;

Then vulnerability occurs.

For remaining vulnerabilities, please refer official announcement.