Oracle Security Alert for CVE-2012-3132


Description

This security alert addresses the security issue CVE-2012-3132, the Privilege Escalation vulnerability in the Oracle Database Server that was recently disclosed at the Black Hat USA 2012 Briefings held in July 2012 involving INDEXTYPE CTXSYS.CONTEXT. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without the need for a username and password. A remote authenticated user can exploit this vulnerability to gain 'SYS' privileges and impact the confidentiality, integrity and availability of un-patched systems.

Affected Products and Versions

  • Oracle Database Server versions 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, 11.2.0.3

Note: Oracle Database Server versions 11.2.0.2 and 11.2.0.3 do not require patching if the July 2012 Critical Patch Update has been applied.

Since Oracle Fusion Middleware, Oracle Enterprise Manager, Oracle E-Business Suite include the Oracle Database Server component that is affected by this vulnerability, Oracle recommends that customers apply this fix as soon as possible to the Oracle Database Server component.

Supported Products and Versions

Security Alerts are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. We recommend that customers remain on actively supported versions so that they can take advanatage of Oracle's Ongoing Security Assurance activities, and be able to obtain the security fixes released through the Critical Patch Update and Security Alert programs.

Product releases that are not under Premier Support or Extended Support are not tested for the presence of the vulnerability addressed by this Security Alert. However, it is likely that earlier versions of affected releases are also affected by this vulnerability.

Supported releases of Oracle Database Server are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.

Products in Extended Support

Security Alerts are available to customers who have purchased Extended Support under the Lifetime Support Policy. Customers must have a valid Extended Support service contract to request Security Alerts for products in the Extended Support Phase.

Patch Availability

Patches and relevant information for protecting against this vulnerability can be found in My Oracle Support Note 1480492.1. Mitigations for this issue for Oracle Database Server versions 9i through 11gR2 can be found in My Oracle Support Note 1482694.1.

Due to the threat posed by a successful attack, and the public disclosure of the technical details of this vulnerability, Oracle strongly recommends that customers apply this Security Alert solution as soon as possible.

References


Modification History


DateComments
2012-August-10Rev 1. Initial Release
 

 


 

Oracle Database Server Executive Summary


This Security Alert contains 1 new security fix for the Oracle Database Server.  This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without the need for a username and password.  This fix is not applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.

 

Oracle Database Server Risk Matrix


CVE#ComponentProtocolPackage and/or Privilege RequiredRemote Exploit without Auth.?CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)Supported Versions AffectedNotes
Base ScoreAccess VectorAccess ComplexityAuthen-
tication
Confiden-
tiality
IntegrityAvail-
ability
CVE-2012-3132Core RDBMSOracle NETCreate session, create tableNo6.5NetworkLowSinglePartial+Partial+Partial+10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, 11.2.0.3See Note 1
 

 

Notes:

  1. 11.2.0.2 and 11.2.0.3 do not require patching if the July 2012 Critical Patch Update has been applied.