This security alert addresses the security issue CVE-2012-3132, the Privilege Escalation vulnerability in the Oracle Database Server that was recently disclosed at the Black Hat USA 2012 Briefings held in July 2012 involving INDEXTYPE CTXSYS.CONTEXT. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without the need for a username and password. A remote authenticated user can exploit this vulnerability to gain 'SYS' privileges and impact the confidentiality, integrity and availability of un-patched systems.
Note: Oracle Database Server versions 11.2.0.2 and 11.2.0.3 do not require patching if the July 2012 Critical Patch Update has been applied.
Since Oracle Fusion Middleware, Oracle Enterprise Manager, Oracle E-Business Suite include the Oracle Database Server component that is affected by this vulnerability, Oracle recommends that customers apply this fix as soon as possible to the Oracle Database Server component.
Security Alerts are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. We recommend that customers remain on actively supported versions so that they can take advantage of Oracle's Ongoing Security Assurance activities, and be able to obtain the security fixes released through the Critical Patch Update and Security Alert programs.
Product releases that are not under Premier Support or Extended Support are not tested for the presence of the vulnerability addressed by this Security Alert. However, it is likely that earlier versions of affected releases are also affected by this vulnerability.
Supported releases of Oracle Database Server are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.
Security Alerts are available to customers who have purchased Extended Support under the Lifetime Support Policy. Customers must have a valid Extended Support service contract to request Security Alerts for products in the Extended Support Phase.
Patches and relevant information for protecting against this vulnerability can be found in My Oracle Support Note 1480492.1. Mitigations for this issue for Oracle Database Server versions 9i through 11gR2 can be found in My Oracle Support Note 1482694.1.
Due to the threat posed by a successful attack, and the public disclosure of the technical details of this vulnerability, Oracle strongly recommends that customers apply this Security Alert solution as soon as possible.
Date | Comments |
---|---|
2012-August-10 | Rev 1. Initial Release |
This Security Alert contains 1 new security fix for the Oracle Database Server. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without the need for a username and password. This fix is not applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.
CVE# | Component | Protocol | Package and/or Privilege Required | Remote Exploit without Auth.? | CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score | Access Vector | Access Complexity | Authentication | Confidentiality | Integrity | Availability | |||||||
CVE-2012-3132 | Core RDBMS | Oracle NET | Create session, create table | No | 6.5 | Network | Low | Single | Partial+ | Partial+ | Partial+ | 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, 11.2.0.3 | See Note 1 |