1、通过绿盟的漏洞检测检测报告中，找到对应的CVE-2018-xxxxx

以CVE-2018-3110为例子

Oracle Database Server Java VM组件安全漏洞(CVE-2018-3110)

详细描述

Oracle Database Server是美国甲骨文（Oracle）公司的一套关系数据库管理系统。

该数据库管理系统提供数据管理、分布式处理等功能。Java VM是其中的一个Java虚

拟机组件。

Oracle Database Server中的Java VM组件存在安全漏洞。攻击者可利用该漏洞未授

权访问数据，影响数据的保密性。

以下版本受到影响：Oracle Database Server 11.2.0.4版本，12.1.0.2版本，

12.2.0.1版本，18.2版本。

解决办法

厂商补丁：

目前厂商已发布升级补丁以修复漏洞，补丁获取链接：

http://www.oracle.com/technetwork/security-advisory/alert-cve-2018-3110-5032149.html

2、点击此URL连接进入ORACLE官网

http://www.oracle.com/technetwork/security-advisory/alert-cve-2018-3110-5032149.html

..Oracle Security Alert Advisory - CVE-2018-3110

This Security Alert addresses an Oracle Database vulnerability in versions 11.2.0.4 and 12.2.0.1 on Windows. CVE-2018-3110 has a CVSS v3 base score of 9.9, and can result in complete compromise of the Oracle Database and shell access to the underlying server. CVE-2018-3110 also affects Oracle Database version 12.1.0.2 on Windows as well as Oracle Database on Linux and Unix, however patches for those versions and platforms were included in the July 2018 CPU.
If you are running Oracle Database versions 11.2.0.4 and 12.2.0.1 on Windows, please apply the patches indicated below. If you are running version 12.1.0.2 on Windows or any version of the database on Linux or Unix and have not yet applied the July 2018 CPU, please do so.
Due to the nature of this vulnerability, Oracle strongly recommends that customers take action without delay.
Affected Products and Patch Information

Security vulnerabilities addressed by this Security Alert affect the products listed below. The product area is shown in the Patch Availability Document column. Please click on the links in the Patch Availability Document column below to access the documentation for patch availability information and installation instructions.

Affected Products and Versions	Patch Availability Document
Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18	Database(点击进入)

3、点击 Database(点击进入)

Database(点击进入)

显示如下：

Ulr文章如下：

Critical Patch Update (CPU) Program July 2018 Patch Availability Document (PAD) (Doc ID 2394520.1)

This document contains the following sections:

Critical Patch Update July 2018 Patch Availability Document (PAD)

1 Overview

2 What's New in July 2018

3 Patch Availability for Oracle Products

4、选择3.1 Oracle Database（点击进入）

显示如下：搜索CVE-2018-3110 在对应的ORACLE版本

3.1.4.5 Oracle Database 11.2.0.4

Error Correction information for Oracle Database 11.2.0.4

Patch Information	11.2.0.4	Comments
Final CPU	October 2020
On-Request platforms	HP-UX PA RISC IBM: Linux on System Z 32-bit client-only platforms except Linux x86
On-Request platforms	32-bit client-only platforms except Linux x86

Patch Availability for Oracle Database 11.2.0.4

Oracle Database Server home

Oracle JavaVM (OJVM) Component Database PSU 11.2.0.4.180717 Patch 27923163 for UNIX, or

OJVM Microsoft Windows Bundle Patch 11.2.0.4.180810 Patch 28416098 or later

CVE-2018-3004, CVE-2018-3110

OJVM PSU 11.2.0.4.161018 and greater includes Generic JDBC Patch 23727132

See Note 1929745.1, Oracle Recommended Patches -- Oracle JavaVM Component Database PSU (OJVM PSU) Patches

5、右侧的patch号 Patch 23727132 就是CVE-2018-3110对应的小补丁号

点击Patch 23727132进入下载页

6、点开Hide Related Knowledge to this Patch这个-发现patch 23727132号就是对应Bug3727132

点击进入文章，可以看到此BUG的文章说明

Bug 23727132 - Oracle JavaVM Component 11.2.0.4.160719 Database PSU - Generic JDBC Patch (Jul 2016) (Doc ID 23727132.8)

To Bottom

Bug 23727132 Oracle JavaVM Component 11.2.0.4.160719 Database PSU - Generic JDBC Patch (Jul 2016)

This note gives a brief overview of Patch:23727132
The content was last updated on: 05-AUG-2018
Click here for details of each of the sections below.

Affects:

*Product (Component)*	Oracle Server (Critical Patch Update)
Version/s this patch is for	· 11.2.0.4
Platforms affected	Generic (all / most platforms affected)
Symptoms:		Related To:
· (None Specified)		· (None Specified)

Description

This is a marker bug for the Oracle JavaVM Component 11.2.0.4.160719 Database PSU Generic JDBC Patch (Jul 2016).

This patch includes critical fixes for JDBC used outside of the database.

See Note:1929745.1 for details of this JDBC patch along with the Oracle JavaVM DB PSU patches

- This patch can be downloaded here: Patch:23727132

- It is applicable to client, instant client, Grid and database ORACLE_HOMEs.

  - This patch is included in the OJVM PSU.

    Hence this patch does not need to be installed in Database homes

    if Jul 2016 OJVM PSU (or later) is installed, but it is still needed in

    client homes or homes with no OJVM PSU installed.

  - This JDBC patch IS included in GI Combo patches

- For July 2016 Critical Patch Update information see Note:2136219.1

- For January 2017  Critical Patch Update information see Note:2203916.1

- For known issues with this patch see Note:2136795.1

7、在已打好补丁的数据库机器上查询补丁列表，发现有此补丁，说明CVE-2018-3110漏洞已解决

C:\oraclexee\product\11.2.0\dbhome_1\OPatch>opatch lsinventory

中间补丁程序 (2) :

Patch 28412269 : applied on Fri Oct 26 00:21:48 GMT+08:00 2018

Unique Patch ID: 22489197

Patch description: "WINDOWS ORACLE JAVAVM COMPONENT BUNDLE PATCH 11.2.0.4.181016"

Created on 8 Oct 2018, 16:17:30 hrs PST8PDT

Bugs fixed:

26637592, 26023002, 19007266, 21566944, 27642235, 21811517, 19058059

19852360, 20408829, 18933818, 25076732, 22675136, 25649873, 27461842

22670385, 19231857, 21047766, 17804361, 18458318, 17285560, 17056813

18166577, 23727132, 23265914, 28502128, 19374518, 24448240, 25494379

18726772, 19554117, 19153980, 19909862, 17201047, 17528315, 24534298

25067795, 19187988, 22118835, 19006757, 21911849, 27952577, 27000663

19895326, 19176885, 22253904, 14774730, 19223010

This patch overlays patches:

28265827

This patch needs patches:

28265827

as prerequisites

1、通过绿盟的漏洞检测检测报告中 ，找到对应的CVE-2018-xxxxx

3、点击Database(点击进入)

Ulr文章如下：

5、右侧的patch号 Patch 23727132 就是CVE-2018-3110对应的小补丁号

Bug 23727132 Oracle JavaVM Component 11.2.0.4.160719 Database PSU - Generic JDBC Patch (Jul 2016)

1、通过绿盟的漏洞检测检测报告中，找到对应的CVE-2018-xxxxx

3、点击 Database(点击进入)