Date: 01 May 2012
References: ASB-2012.0060
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2012.0065
A vulnerability has been identified in Oracle Database 10g and 11g
1 May 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Oracle Database 10g
Oracle Database 11g
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2012-1675
Member content until: Thursday, May 31 2012
Reference: ASB-2012.0060
Comment: Proof of concept exploit code exists for this vulnerability.
OVERVIEW
A vulnerability has been identified in Oracle Database 10g Release 2,
versions 10.2.0.3, 10.2.0.4, 10.2.0.5, Oracle Database 11g Release 1,
version 11.1.0.7 and Oracle Database 11g Release 2, versions 11.2.0.2,
11.2.0.3. [1]
IMPACT
The vendor has provided the following details regarding this
vulnerability which has been assigned CVE-2012-1675:
"This security alert addresses the security issue CVE-2012-1675, a
vulnerability in the TNS listener which has been recently disclosed
as "TNS Listener Poison Attack" affecting the Oracle Database Server.
This vulnerability may be remotely exploitable without authentication,
i.e. it may be exploited over a network without the need for a username
and password. A remote user can exploit this vulnerability to impact
the confidentiality, integrity and availability of systems that do not
have recommended solution applied." [1]
MITIGATION
The vendor recommends that users apply the relevant patches to
correct this issue. [1]
REFERENCES
[1] Oracle Security Alert for CVE-2012-1675
http://www.oracle.com/technetwork/topics/security/alert-cve-2012-1675-1608180.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBT58+pu4yVqjM2NGpAQLjug//T9y/0tzGWoZLJhcWw/KgjbkTL/j9uTGk
wbDLhzDkRtPb3Rxat3olJLiTpP4PzUcHUn8F1FMfxiDbQQBP26QwqJ+4KD5KXBv2
gkE5a8uKnWS0XQ6q8hGJkkwFYAWZ/+G/HVyP0JMgZWXIfsMhS9piy5L6kbphfk4z
73dbJu1DhUAH4yxmrMS46FZSirkzEU0utaFAkZ20qX0gl7o1tS3da8vdiEj4EqbZ
06iH6/5+OEk4mG3sC5rdggzdD9Xv3xDUiDQTpBuxxC8ZZBLQV8J+eOaukZjiHnUQ
3CnG1EtA2AAROShBeICzN+jy9NSiloKd1MFILdQimK1/paGiT7hZu2XzdGfZy/0V
tEigQu4+gWC90Yj+Zq5ZV5Qyu6sjpq9ScnhCQuaGqd49959WC9IqG6khW1U8TzKa
S4J/Wgk3ZQJxqzrSKKCpECaziI6AT2PHuAT2pHGXrpfdvhj3xEpZoZnS1t5I7GC6
r6TZalQEXiheFUPOSlu2CULmB/0Xw2COeqOLgupMb0tzgqoNuTzUu6PM4FLDFlFX
bNnt/O2ONJkt2+tvkoyE55Y+CZMIN/fFilnH5MHyd4wb1wffZIsEkIOrB4AADbpc
geTg4G9F6glAF/JI+mmzlcyl2ua2NvVUB9pkkWy53jLKLoqdDQEaDRodwRXa29D5
tTq/ueztZ1M=
=pAFx
-----END PGP SIGNATURE-----
|