Oracle Security Alert for CVE-2012-3132

Description

This security alert addresses the security issue CVE-2012-3132, the Privilege Escalation vulnerability in the Oracle Database Server that was recently disclosed at the Black Hat USA 2012 Briefings held in July 2012 involving INDEXTYPE CTXSYS.CONTEXT. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without the need for a username and password. A remote authenticated user can exploit this vulnerability to gain 'SYS' privileges and impact the confidentiality, integrity and availability of un-patched systems.

Affected Products and Versions

  • Oracle Database Server versions 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, 11.2.0.3

Note: Oracle Database Server versions 11.2.0.2 and 11.2.0.3 do not require patching if the July 2012 Critical Patch Update has been applied.

Since Oracle Fusion Middleware, Oracle Enterprise Manager, Oracle E-Business Suite include the Oracle Database Server component that is affected by this vulnerability, Oracle recommends that customers apply this fix as soon as possible to the Oracle Database Server component.

Supported Products and Versions

Security Alerts are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. We recommend that customers remain on actively supported versions so that they can take advantage of Oracle's Ongoing Security Assurance activities, and be able to obtain the security fixes released through the Critical Patch Update and Security Alert programs.

Product releases that are not under Premier Support or Extended Support are not tested for the presence of the vulnerability addressed by this Security Alert. However, it is likely that earlier versions of affected releases are also affected by this vulnerability.

Supported releases of Oracle Database Server are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.

Products in Extended Support

Security Alerts are available to customers who have purchased Extended Support under the Lifetime Support Policy. Customers must have a valid Extended Support service contract to request Security Alerts for products in the Extended Support Phase.

Patch Availability

Patches and relevant information for protecting against this vulnerability can be found in My Oracle Support Note 1480492.1. Mitigations for this issue for Oracle Database Server versions 9i through 11gR2 can be found in My Oracle Support Note 1482694.1.

Due to the threat posed by a successful attack, and the public disclosure of the technical details of this vulnerability, Oracle strongly recommends that customers apply this Security Alert solution as soon as possible.

References

Modification History

Date Comments
2012-August-10 Rev 1. Initial Release

Oracle Database Server Executive Summary

This Security Alert contains 1 new security fix for the Oracle Database Server.  This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without the need for a username and password.  This fix is not applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.

Oracle Database Server Risk Matrix

CVE# Component Protocol Package and/or Privilege Required Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen­tication Confid­entiality Inte­grity Avail­ability
CVE-2012-3132 Core RDBMS Oracle NET Create session, create table No 6.5 Network Low Single Partial+ Partial+ Partial+ 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, 11.2.0.3 See Note 1

Notes:

  1. 11.2.0.2 and 11.2.0.3 do not require patching if the July 2012 Critical Patch Update has been applied.