-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2012-0096 Title: Oracle Security Alert for CVE-2012-3132 [1] Version history: 10.08.2012 Initial publication Summary ======= This security alert addresses the security issue CVE-2012-3132, the Privilege Escalation vulnerability in the Oracle Database Server that was recently disclosed at the Black Hat USA 2012 Briefings held in July 2012 involving INDEXTYPE CTXSYS.CONTEXT. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without the need for a username and password. A remote authenticated user can exploit this vulnerability to gain 'SYS' privileges and impact the confidentiality, integrity and availability of un-patched systems. CVE-2012-3132 CVSS v2 Base Score:6.5 (MEDIUM) (AV:N/AC:L/Au:S/C:P/I:P/A:P) [1,3] Base Metrics: Vulnerable systems ================== Oracle Database Server versions 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, 11.2.0.3 Note: Oracle Database Server versions 11.2.0.2 and 11.2.0.3 do not require patching if the July 2012 Critical Patch Update has been applied. Since Oracle Fusion Middleware, Oracle Enterprise Manager, Oracle E-Business Suite include the Oracle Database Server component that is affected by this vulnerability, Oracle recommends that customers apply this fix as soon as possible to the Oracle Database Server component. Original Details ================ SQL injection vulnerability in Oracle Database Server 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, and 11.2.0.3 allows remote authenticated users to execute arbitrary SQL commands via vectors involving CREATE INDEX with a CTXSYS.CONTEXT INDEXTYPE and DBMS_STATS.GATHER_TABLE_STATS. What can you do? ================ Fix is available [1] What to tell your users? ======================== N/A More information ================ [1] http://www.oracle.com/technetwork/topics/security/alert-cve-2012-3132-1721017.html [2] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3132 [3] Information about CVSS: http://www.first.org/cvss/cvss-guide.html Best regards, CERT-EU Pre-configuration Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 Privacy Statement: http://cert.europa.eu/cert/plainedition/en/cert_privacy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBAgAGBQJQKRPkAAoJEPpzpNLI8SVomWIP/An2vageY3e8beGJDF87uAes dIeu9FcF15FpO6I4ATMH9qre9IIISN6KoxSr98EzUgRepvXSc5j0aXUcBAQCfttH l2Noujo91SJctDesrY+QpzjlEdJIXmA9x5eX+hJVibQ1ikX4DhyVH3l9JJijU4Zr HDOikTwjJcvTq4ptHOG3fsiDoCw66zSRnyEWp2FWvoYBktnzepDaVnfrq1A+d0PF npuFYKKcxN/sQUtmAEsxpYgQa4MgLABcZYEjzAftPuqN08bMCovmrvAIiePYuJro Svlg9nWqygln1xp7eE82rTlOl2DaKj7kWhp5btz/oUzrrYWrTefimL2G+AB+Di30 L18eqiCM5JtD0JURbftMJgeY626PhbYmriUBM1eANyCZ8jIzBf991eZ8dnVp6RG8 Csx5pnhZfFackugkiD0P9Kp1wSYCItLVBDdPNjKljgrefTCaPx8N0KLDA5qVciTZ 04IBUDhUHXXnZM4XpacFFpByd6mn9yi/li2aSnTjUTFjx0eMEZsQv7pzdRAKKKIN y5ibgfEbUV97VC3X9umy7Z4KUinja5A7ZDvIR4+UADoCSl/KtR25KeU1xrjhYRnx 2ZDuDgo3u6ViY3oMdSg24huRbl/gD2pLmI1aO9TUjwE1nnTMAXCKmdmCnwVVccyp VBFqes62RGX0iDrfZbeq =D9WG -----END PGP SIGNATURE-----