-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2012-0058 Title: Unpatched vulnerability in TNS Listener service on Oracle Databases [1] NEW !![6.7] Version history: 27.04.2012 Initial publication 02.05.2012 More information from Oracle. Updates are marked with NEW !! Summary ======= The bug, which Oracle reported as fixed in the most recent Critical Patch Update [2,5], is only fixed in upcoming versions of the database, not in currently shipping releases, and there is publicly available proof-of-concept exploit code circulating [3,4]. The vulnerability affects the component called TNS Listener, which is the responsible of connections establishment. To exploit the vulnerability no privilege is needed, just network access to the TNS Listener. The “feature” exploited is enabled by default in all Oracle versions starting with Oracle 8i and ending with Oracle 11g [4]. NEW !!CVE-2012-1675 NEW !!CVSS V2 Base Score of 7.5, [7] NEW !!CVSS V2 Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P). [8] Affected Products and Versions ============================== All database versions from 8i to 11g R2 [3] NEW !! Supported versions that are affected are 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2 and 11.2.0.3. [6,9] What can you do? ================ Possible workarounds are available. See reference [4] for more information. NEW !! As a result of the details of this vulnerabilty being disclosed, Oracle has issued Security Alert CVE-2012-1675 to provide customers with a number of technical measures to provide effective defense against this vulnerability in all deployment scenarios. [7] NEW !! Oracle provides recommendations for protecting against this vulnerability [6] What to tell your users? ======================== N/A More information ================ [1] http://threatpost.com/en_us/blogs/critical-bug-reported-oracle-servers-042612 [2] http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html [3] http://seclists.org/fulldisclosure/2012/Apr/343 [4] http://seclists.org/fulldisclosure/2012/Apr/204 [5] http://cert.europa.eu/static/SecurityAdvisories/CERT-EU-SA2012-0055.txt [6] http://www.oracle.com/technetwork/topics/security/alert-cve-2012-1675-1608180.html [7] https://blogs.oracle.com/security/entry/security_alert_for_cve_2012 [8] Information about CVSS: http://www.first.org/cvss/cvss-guide.html [9] http://www.oracle.com/technetwork/topics/security/alert-cve-2012-1675-verbose-1608181.html Best regards, CERT-EU CERT-EU Pre-configuration Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 (DISCLAIMER: CERT-EU, the CERT for the EU institutions, is currently in its setup phase, until May 2012. Services are provided in a pilot fashion, and are not yet fully functional. Announcements, alerts and warnings are sent out in best effort manner, and to contact information currently known to us. We apologise if you are not the correct recipient, or if you had already been warned about this issue from another source . Format, content and way of alerting are subject to change in the future. Contact information or even the team name may change as well.) -----BEGIN PGP SIGNATURE----- Version: BCPG v1.39 iQJXBAEBAgBBBQJPoRWAOhxDRVJUIGZvciB0aGUgRXVyb3BlYW4gSW5zdGl0dXRp b25zIDxjZXJ0LWV1QGVjLmV1cm9wYS5ldT4ACgkQJ6QGykasQ4PzYw//WFAfDTqo D+jTQh74DCEogX2Zik3C9yHA2ic9ldIt4hWdDfwy3x9bUAPtdmnYScbBMl9Q7rFw A6Yu6C5Bw5gh8jeELVh6BjUi0PGHDqByLAaYg7kCvlXObdR60bCUUo+xrWlZ6mPJ W4zuhE3F44CS8syYydhcBn1GTXHns/5Q4kbNfG5xliQU5865yHyr7tr9rkAsaw17 4KoeGegMKsgOJ8j2lehV6ZHLm1d3HcTTnhjUUlRLv24OIlqy2OL9TzcAruhK9x56 n7zbILqdjngeNMNzc497x99xk9n3I0DnveJR/oSf49St0k7BEXh7TjOXaaB1H1e6 NdjcajvIV5TDtgNgpYPFBL8EkoQqWKp66BR0xEFi5INpnxApMtHkMSU1NJW1fGsN 4mGJunsR2VErRwxYKxR6Eu2MeOuW2rGxm88+eW2esugjFychlnX7zCBBn7saaba3 z5a5iToEaMWJU42/XSGp/e9p4m7UO0ZKyFuQMkKJflVG26LjcC5nRF9D8BJ2W+pX aMZ1cHbSojKayct5hlBbwIdzHS+vNE9tX1DdkVbQKOrHcqF8M7YG2HoxuOgskG0u kUBJGMIziKK+bfft/1OyuXkmSfJg/WVFgNvfRmBFps7L5PtSijPue7PQ8NRWL6Km MH8VdbE4NnPq2k59a2Wi63lSol63iUJB7J8= =nW3H -----END PGP SIGNATURE-----