Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Oracle Patches Vulnerability Disclosed at Black Hat

Oracle has released a patch for a vulnerability (CVE-2012-3132) disclosed by David Litchfield from Accuvant Labs during the Black Hat security conference last month. The vulnerability, which is SQL Injection at its core, allows an attacker to gain high-level privileges, and take complete control over the server.

Oracle has released a patch for a vulnerability (CVE-2012-3132) disclosed by David Litchfield from Accuvant Labs during the Black Hat security conference last month. The vulnerability, which is SQL Injection at its core, allows an attacker to gain high-level privileges, and take complete control over the server.

“It’s a privilege escalation vulnerability that gives an attacker SYSDBA privileges,” explained Alex Rothacker, Director of Security Research at Application Security, Inc. “In order to perform the exploit, one needs to have CREATE TABLE and CREATE PROCEDURE privileges as well as EXECUTE privileges on DBMS_STATS package.”

Oracle Database Security“In a properly configured system, most users should not have above privileges, but application developers and some others typically do have these privileges” Rothacker added. “In addition, many common software packages don’t implement proper separation of duties and grant the app account excessive privileges which can be used to exploit this vulnerability.”

The fix has been released for Oracle Database Server versions 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, and 11.2.0.3. However, customers using 11.2.0.2 and 11.2.0.3 do not need to worry as long as they have the Critical Patch Update issued in July installed.

Otherwise, this is something Oracle wants all customers to pay attention to.

“Since Oracle Fusion Middleware, Oracle Enterprise Manager, Oracle E-Business Suite include the Oracle Database Server component that is affected by this vulnerability, Oracle recommends that customers apply this fix as soon as possible to the Oracle Database Server component,” the company’s advisory states.

“This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without the need for a username and password. A remote authenticated user can exploit this vulnerability to gain ‘SYS’ privileges and impact the confidentiality, integrity and availability of un-patched systems.”

Additional details from Oracle are available here.  

Written By

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.