PROBLEM:
Oracle Database INDEXTYPE CTXSYS.CONTEXT Bug Lets Remote Authenticated Users Gain Elevated Privileges
PLATFORM:
Oracle Database Server versions 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, 11.2.0.3
ABSTRACT:
A remote authenticated user with 'Create Table' privileges can gain 'SYS' privileges on the target system.
Reference LINKS:
Oracle Security Alert
Oracle Security Alert - CVE-2012-3132 Risk Matrices
SecurityTracker Alert ID: 1027367
CVE-2012-3132
IMPACT ASSESSMENT:
Medium
Discussion:
A vulnerability was reported in Oracle Database. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without the need for a username and password. A remote authenticated user can exploit this vulnerability to gain 'SYS' privileges and impact the confidentiality, integrity and availability of un-patched systems. Versions 11.2.0.2 and 11.2.0.3 are not affected on systems that have the July 2012 Critical Patch Update.
Impact:
A remote authenticated user with 'Create Table' privileges can gain 'SYS' privileges on the target system.
Solution:
Patches and relevant information for protecting against this vulnerability can be found in My Oracle Support: Log In