By Eric P. Maurice-Oracle on Aug 10, 2012
Hi, this is Eric Maurice.
Oracle today released Security Alert CVE-2012-3132 to address a vulnerability affecting the Oracle Database Server, which was publicly disclosed at BlackHat 2012. With a CVSS Base Score of 6.5, this vulnerability involves the ‘INDEXTYPE CTXSYS.CONTEXT’, and if successfully exploited, can allow a malicious attacker to gain ‘SYS’ privileges. This vulnerability does not affect 11gR2 databases which have applied the July 2012 Critical Patch Update. Note that this vulnerability is not remotely exploitable without authentication, in other words, the attacker needs to a have credentials and specific privileges, including the ‘Create Table’ privilege, in order to create the exploit conditions. Oracle recommends that organizations apply this Security Alert as soon as possible because the technical details of this vulnerability have been very widely disclosed and one can easily find sample exploit code over the Internet.
As much as possible, it is important that organizations use the most current product versions available to them. As stated in each Critical Patch Update and Security Alert Advisory, Oracle does not generally test for the presence of the vulnerabilities fixed through the Critical Patch Update and Security Alert programs in releases of affected product lines that are no longer supported. However, it is likely that these vulnerabilities exist in previously released, but no longer supported releases of the affected products. In a previous blog entry, I discussed Oracle’s security fixing policies, and recommended that customers remain on current releases in order to take advantage of Oracle’s ongoing security assurance effort. This Security Alert, along with all recently released Critical Patch Updates, is an example of the importance of keeping up with newer and actively supported releases. Customers on unsupported versions, unless they have purchased Extended Support under the Lifetime Support Policy, will not receive a permanent fix for the release they are running.
It is unfortunate when the technical details of a security vulnerability are disclosed before a fix could be made available, especially when the disruption resulting from having to deal with an unplanned patch, and the amount of time required by customers to apply the patch, may yield less of a security posture improvement than other security efforts, such as ongoing hardening and auditing.
For more information:
The Security Alerts and Critical Patch Updates page is located at http://www.oracle.com/technetwork/topics/security/alerts-086861.html
The Advisory for Security Alert CVE-2012-3132 is located at www.oracle.com/technetwork/topics/security/alert-cve-2012-3132-1721017.html
The Oracle Software Security Assurance web site is located at http://www.oracle.com/us/support/assurance/index.html
The blog entry “Take Advantage of Oracle's Ongoing Assurance Effort!” is located at https://blogs.oracle.com/security/entry/take_advantage_of_oracles_ongo
The blog entry “Keeping Up With Newer Releases is Good Security Practice” is located at https://blogs.oracle.com/security/entry/keeping_up_with_newer_releases