Thursday Aug 30, 2012

Security Alert for CVE-2012-4681 Released

Hi, this is Eric Maurice again!

Oracle has just released Security Alert CVE-2012-4681 to address 3 distinct but related vulnerabilities and one security-in-depth issue affecting Java running in desktop browsers.  These vulnerabilities are: CVE-2012-4681, CVE-2012-1682, CVE-2012-3136, and CVE-2012-0547.  These vulnerabilities are not applicable to standalone Java desktop applications or Java running on servers, i.e. these vulnerabilities do not affect any Oracle server based software.

Vulnerabilities CVE-2012-4681, CVE-2012-1682, and CVE-2012-3136 have each received a CVSS Base Score of 10.0.  This score assumes that the affected users have administrative privileges, as is typical in Windows XP.  Vulnerability CVE-20120-0547 has received a CVSS Base Score of 0.0 because this vulnerability is not directly exploitable in typical user deployments, but Oracle has issued a security-in-depth fix for this issue as it can be used in conjunction with other vulnerabilities to significantly increase the overall impact of a successful exploit.

If successfully exploited, these vulnerabilities can provide a malicious attacker the ability to plant discretionary binaries onto the compromised system, e.g. the vulnerabilities can be exploited to install malware, including Trojans, onto the targeted system.  Note that this malware may in some instances be detected by current antivirus signatures upon its installation. 

Due to the high severity of these vulnerabilities, Oracle recommends that customers apply this Security Alert as soon as possible.  Furthermore, note that the technical details of these vulnerabilities are widely available on the Internet and Oracle has received external reports that these vulnerabilities are being actively exploited in the wild.   

For more information:


Friday Aug 10, 2012

Security Alert CVE-2012-3132 Released

Hi, this is Eric Maurice.

Oracle today released Security Alert CVE-2012-3132 to address a vulnerability affecting the Oracle Database Server, which was publicly disclosed at BlackHat 2012.  With a CVSS Base Score of 6.5, this vulnerability involves the ‘INDEXTYPE CTXSYS.CONTEXT’, and if successfully exploited, can allow a malicious attacker to gain ‘SYS’ privileges.  This vulnerability does not affect 11gR2 databases which have applied the July 2012 Critical Patch Update.  Note that this vulnerability is not remotely exploitable without authentication, in other words, the attacker needs to a have credentials and specific privileges, including the ‘Create Table’ privilege, in order to create the exploit conditions.  Oracle recommends that organizations apply this Security Alert as soon as possible because the technical details of this vulnerability have been very widely disclosed and one can easily find sample exploit code over the Internet.

As much as possible, it is important that organizations use the most current product versions available to them.  As stated in each Critical Patch Update and Security Alert Advisory, Oracle does not generally test for the presence of the vulnerabilities fixed through the Critical Patch Update and Security Alert programs in releases of affected product lines that are no longer supported.  However, it is likely that these vulnerabilities exist in previously released, but no longer supported releases of the affected products.  In a previous blog entry, I discussed Oracle’s security fixing policies, and recommended that customers remain on current releases in order to take advantage of Oracle’s ongoing security assurance effort.  This Security Alert, along with all recently released Critical Patch Updates, is an example of the importance of keeping up with newer and actively supported releases.  Customers on unsupported versions, unless they have purchased Extended Support under the Lifetime Support Policy, will not receive a permanent fix for the release they are running. 

It is unfortunate when the technical details of a security vulnerability are disclosed before a fix could be made available, especially when the disruption resulting from having to deal with an unplanned patch, and the amount of time required by customers to apply the patch, may yield less of a security posture improvement than other security efforts, such as ongoing hardening and auditing. 

For more information:

The Security Alerts and Critical Patch Updates page is located at

The Advisory for Security Alert CVE-2012-3132 is located at

The Oracle Software Security Assurance web site is located at

The blog entry “Take Advantage of Oracle's Ongoing Assurance Effort!” is located at

The blog entry “Keeping Up With Newer Releases is Good Security Practice” is located at




This blog provides insight about key aspects of Oracle Software Security Assurance programs.


  • Oracle
« August 2012 »