Oracle Security Alert for CVE-2012-3132
Description
This security alert addresses the security issue CVE-2012-3132, the Privilege Escalation vulnerability in the Oracle Database Server that was recently disclosed at the Black Hat USA 2012 Briefings held in July 2012 involving INDEXTYPE CTXSYS.CONTEXT. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without the need for a username and password. A remote authenticated user can exploit this vulnerability to gain ‘SYS’ privileges and impact the confidentiality, integrity and availability of un-patched systems.
Affected Products and Versions
- Oracle Database Server versions 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, 11.2.0.3
Note: Oracle Database Server versions 11.2.0.2 and 11.2.0.3 do not require patching if the July 2012 Critical Patch Update has been applied.
Since Oracle Fusion Middleware, Oracle Enterprise Manager, Oracle E-Business Suite include the Oracle Database Server component that is affected by this vulnerability, Oracle recommends that customers apply this fix as soon as possible to the Oracle Database Server component.
Supported Products and Versions
Security Alerts are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. We recommend that customers remain on actively supported versions so that they can take advantage of Oracle’s Ongoing Security Assurance activities, and be able to obtain the security fixes released through the Critical Patch Update and Security Alert programs.
Product releases that are not under Premier Support or Extended Support are not tested for the presence of the vulnerability addressed by this Security Alert. However, it is likely that earlier versions of affected releases are also affected by this vulnerability.
Supported releases of Oracle Database Server are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.
Products in Extended Support
Security Alerts are available to customers who have purchased Extended Support under the Lifetime Support Policy. Customers must have a valid Extended Support service contract to request Security Alerts for products in the Extended Support Phase.
Patch Availability
Patches and relevant information for protecting against this vulnerability can be found in My Oracle Support Note 1480492.1. Mitigations for this issue for Oracle Database Server versions 9i through 11gR2 can be found in My Oracle Support Note 1482694.1.
Due to the threat posed by a successful attack, and the public disclosure of the technical details of this vulnerability, Oracle strongly recommends that customers apply this Security Alert solution as soon as possible.
References
- Oracle Critical Patch Updates and Security Alerts main page [ Oracle Technology Network ]
- Oracle Security Alert for CVE-2011-3132 Patch Availability Document for Fusion Middleware Suite [ My Oracle Support Note 1480492.1 ]
- Oracle Critical Patch Updates and Security Alerts – Frequently Asked Questions [ CPU FAQ ]
- Risk Matrix definitions [ Risk Matrix Definitions ]
- Use of Common Vulnerability Scoring System (CVSS) by Oracle [ Oracle CVSS Scoring ]
- English text version of the risk matrix [ Oracle Technology Network ]
- CVRF XML version of the risk matrix [ Oracle Technology Network ]
- List of public vulnerabilities fixed in Critical Patch Updates and Security Alerts [ Oracle Technology Network ]
- Software Error Correction Support Policy [ My Oracle Support Note 209768.1 ]
Modification History
| Date | Comments |
|---|---|
| 2012-August-10 | Rev 1. Initial Release |
Oracle Database Server Executive Summary
This Security Alert contains 1 new security fix for the Oracle Database Server. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without the need for a username and password. This fix is not applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed. The English text form of this Risk Matrix can be found here.
Oracle Database Server Risk Matrix
| CVE# | Component | Protocol | Package and/or Privilege Required | Remote Exploit without Auth.? | CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score | Access Vector | Access Complexity | Authentication | Confidentiality | Integrity | Availability | |||||||
| CVE-2012-3132 | Core RDBMS | Oracle NET | Create session, create table | No | 6.5 | Network | Low | Single | Partial+ | Partial+ | Partial+ | 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, 11.2.0.3 | See Note 1 |
Notes:
- 11.2.0.2 and 11.2.0.3 do not require patching if the July 2012 Critical Patch Update has been applied.