Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Oracle Patches Vulnerability Disclosed at Black Hat

Oracle has released a patch for a vulnerability (CVE-2012-3132) disclosed by David Litchfield from Accuvant Labs during the Black Hat security conference last month. The vulnerability, which is SQL Injection at its core, allows an attacker to gain high-level privileges, and take complete control over the server.

Oracle has released a patch for a vulnerability (CVE-2012-3132) disclosed by David Litchfield from Accuvant Labs during the Black Hat security conference last month. The vulnerability, which is SQL Injection at its core, allows an attacker to gain high-level privileges, and take complete control over the server.

“It’s a privilege escalation vulnerability that gives an attacker SYSDBA privileges,” explained Alex Rothacker, Director of Security Research at Application Security, Inc. “In order to perform the exploit, one needs to have CREATE TABLE and CREATE PROCEDURE privileges as well as EXECUTE privileges on DBMS_STATS package.”

Oracle Database Security“In a properly configured system, most users should not have above privileges, but application developers and some others typically do have these privileges” Rothacker added. “In addition, many common software packages don’t implement proper separation of duties and grant the app account excessive privileges which can be used to exploit this vulnerability.”

The fix has been released for Oracle Database Server versions 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, and 11.2.0.3. However, customers using 11.2.0.2 and 11.2.0.3 do not need to worry as long as they have the Critical Patch Update issued in July installed.

Otherwise, this is something Oracle wants all customers to pay attention to.

“Since Oracle Fusion Middleware, Oracle Enterprise Manager, Oracle E-Business Suite include the Oracle Database Server component that is affected by this vulnerability, Oracle recommends that customers apply this fix as soon as possible to the Oracle Database Server component,” the company’s advisory states.

“This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without the need for a username and password. A remote authenticated user can exploit this vulnerability to gain ‘SYS’ privileges and impact the confidentiality, integrity and availability of un-patched systems.”

Additional details from Oracle are available here.  

Advertisement. Scroll to continue reading.
Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

SSH Communications Security has appointed Pauli Haikonen as the company’s Chief Information Security Officer (CISO).

Cloud and container security firm Sysdig has tapped William Welch as CEO on its path to an IPO.

Dave Scher has been promoted to Deputy Chief Information Officer at MITRE.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.