CVE-2020-2735: 
Oracle Database Server vulnerability analysis and mitigation

CVE-2020-2735 is a vulnerability in the Java VM component of Oracle Database Server affecting versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c and 19c. The vulnerability was disclosed in April 2020. It is classified as difficult to exploit and requires a low-privileged attacker with Create Session privilege and network access via Oracle Net (Oracle Advisory).

The vulnerability has a CVSS 3.0 Base Score of 8.0 (High) with the following vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H. This indicates network attack vector, high attack complexity, low privileges required, user interaction required, changed scope, and high impacts on confidentiality, integrity and availability (NVD).

Successful exploitation of this vulnerability can result in complete takeover of Java VM. While the vulnerability exists in Java VM, attacks may significantly impact additional products. The vulnerability affects confidentiality, integrity, and availability with high severity ratings for all three aspects (Oracle Advisory).

Oracle has released patches for this vulnerability as part of the April 2020 Critical Patch Update. Affected customers should apply the security patches to the vulnerable Oracle Database Server versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c and 19c (Oracle Advisory).