My favorite one (if I were a hacker) is CVE-2018-3259, its the one that allows me to take over the Oracle VM remotely. That's where I get all that precious data. Delicious. Just port scan for 1521 and bingo... I am ready to rock and roll.
I think the Russians will pay 1.00 per American user with private data, I take over the VM connect to the database, create a SCOTT/TIGER account with DBA privs (This step is to get the DBA fired for being careless) and then s--- all that delicious data into my csv text file. Mrs Jone's gallbladder problem and her visa account information should earn me some quick cash.
My second favorite is CVE-2018-3299 I can mess with the Oracle text and cause Oracle to crash for a DOS. Why not execute both? Port scan 1521, take over the Oracle VM remotely, create the Scott/Tiger account with DBA privs, s--- out all the user data. Then I have options. Option one cover my tracks and sneak away. Or option two pull an "allahu akbar" and blow up the database on the way out by exploiting the text bug and cause a DOS. Option two gets me the high profile attention some hackers crave. I'd go by the hacker alias "T–dCEO" as an homage to the man who made it all possible.
So sad to watch a once great company burn in the garbage dump... ah but what do you expect when you cut good talent and replace it with whomever is cheapest.
https://www.theregister.co.uk/2018/10/16/oracle_patch_bundle/
For Database, the update addresses a total of three flaws. Two of the vulnerabilities (CVE-2018-3259 and CVE-2018-3299) can be remotely exploited without authentication, while the third, CVE-2018-7489, would require the user to have a Rapid Home Provisioning account to execute and is considered by far the least severe of the three.
Oracle noted that all three bugs only impact the server versions of Database, user clients are not considered to be vulnerable.
Whew thank goodness. I wouldn't want my SQL server client which has no data to be compromised. Thank goodness its only the server that has all the data that is totally vulnerable to anyone to exploit this attack.
https://nvd.nist.gov/vuln/detail/CVE-2018-3259
Vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected are 11.2.0.4, 12.1.0.2, 12.2.0.1 and 18c. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java VM. Successful attacks of this vulnerability can result in takeover of Java VM. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
https://nvd.nist.gov/vuln/detail/CVE-2018-3299
Vulnerability in the Oracle Text component of Oracle Database Server. Supported versions that are affected are 11.2.0.4, 12.1.0.2 and 12.2.0.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Text. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Text, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Text as well as unauthorized update, insert or delete access to some of Oracle Text accessible data. CVSS 3.0 Base Score 8.2 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:H).