copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Training
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login

  Home » Security Bul... » By Operating... » UNIX (all) » IRIX » ASB-2012.0114 - ALERT [Win][UNIX/Linux] Oracle Datab...
 

ASB-2012.0114 - ALERT [Win][UNIX/Linux] Oracle Database Server: Increased privileges - Existing account
Date: 13 August 2012
References: ASB-2012.0143  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2012.0114
                  Oracle Security Alert for CVE-2012-3132
                              13 August 2012

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Oracle Database Server
Operating System:     UNIX variants (UNIX, Linux, OSX)
                      Windows
Impact/Access:        Increased Privileges -- Existing Account
Resolution:           Patch/Upgrade
CVE Names:            CVE-2012-3132  
Member content until: Wednesday, September 12 2012

Comment: Proof of concept is available for this vulnerability.

OVERVIEW

        A privilege escalation vulnerability has been identified in Oracle
        Database Server versions 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7,
        11.2.0.2, and 11.2.0.3.


IMPACT

        The vendor has provided the following information about the
        vulnerability:
        
        "This security alert addresses the security issue CVE-2012-3132, the
        Privilege Escalation vulnerability in the Oracle Database Server that
        was recently disclosed at the Black Hat USA 2012 Briefings held in July
        2012 involving INDEXTYPE CTXSYS.CONTEXT. This vulnerability is not
        remotely exploitable without authentication, i.e., may not be exploited
        over a network without the need for a username and password. A remote
        authenticated user can exploit this vulnerability to gain 'SYS'
        privileges and impact the confidentiality, integrity and availability
        of un-patched systems." [1]


MITIGATION

        Users should apply the available patch, the vendor has also stated
        that:
        
        "Since Oracle Fusion Middleware, Oracle Enterprise Manager, Oracle
        E-Business Suite include the Oracle Database Server component that is
        affected by this vulnerability, Oracle recommends that customers apply
        this fix as soon as possible to the Oracle Database Server component."
        [1]
        
        "Oracle Database Server versions 11.2.0.2 and 11.2.0.3 do not require
        patching if the July 2012 Critical Patch Update has been applied." [1]


REFERENCES

        [1] Oracle Security Alert for CVE-2012-3132
            http://www.oracle.com/technetwork/topics/security/alert-cve-2012-3132-1721017.html

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUCho1+4yVqjM2NGpAQJe7RAAutd3reuoFBi2yrd0fQzY2pgkCnC42dbF
PW6OKQmTzD/SXroFAYFESz8pOtZAHQU3YIsLiEQPfvQApuGRzFbsLwgfG4Xvzzt9
qToL9h4pmSiXuS6oWnmrLuUnzA9S+WMrouIRt31CPMmnmeJF8IABPrtLfX2wbysB
xOsjpG77C8tvziI/ALFaWhAUN3+6YNIENmsSa8cZSu7x0ZhddMwD2L0r/iEkze3Z
ThscNY5G8UNQJ+f8hwkq6LABVWyopbO1iWlH9UQtHXnDw4sfuQPcwAIvsvFa9KkL
2qkc5UJHdkQhXXWlKdXhK8So+W605C+Z1zmJo3qbUOvbtRR3Ui8qJ1g9Chv63RHL
8GIdgJsvOKBY4hebDruzldQhvmojlCa+3Sz/IKmgNcF3esKESKmOlg3ixgJlHhiE
QTow69Bfl/iUkzE1Vea4WAfTVxpczgl7dYLyPgh4AleW5zt4/z0xPyfp1P+LFE+7
/ryt8IM0x4fhn3lRFTHBKihCeNkupxhggFnji+D9VaALi0adbE4mdwaCyV2ipJRg
VyGZ3db9BsJkGJPlEyoMMRsJNzI3+isIFwSn7zvd+H7qrCwfAUIT1aDwsNvZEHcV
oNLd8zT9pXqnApOAj3vnu835leCUPmmTMEfYhfrR26UzCkDQaXxeRoyqxCiwqiPs
8f53rAg4S9Q=
=wqow
-----END PGP SIGNATURE-----




Comments? Click here http://www.auscert.org.au/16186