You are here

U-233: Oracle Database INDEXTYPE CTXSYS.CONTEXT Bug Lets Remote Authenticated Users Gain Elevated Privileges

August 13, 2012 - 7:00am

Addthis

PROBLEM:

Oracle Database INDEXTYPE CTXSYS.CONTEXT Bug Lets Remote Authenticated Users Gain Elevated Privileges

PLATFORM:

Oracle Database Server versions 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, 11.2.0.3

ABSTRACT:

A remote authenticated user with 'Create Table' privileges can gain 'SYS' privileges on the target system.

Reference  LINKS:

Oracle Security Alert
Oracle Security Alert - CVE-2012-3132 Risk Matrices
SecurityTracker Alert ID: 1027367
CVE-2012-3132

IMPACT ASSESSMENT:

Medium

Discussion:

A vulnerability was reported in Oracle Database. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without the need for a username and password. A remote authenticated user can exploit this vulnerability to gain 'SYS' privileges and impact the confidentiality, integrity and availability of un-patched systems. Versions 11.2.0.2 and 11.2.0.3 are not affected on systems that have the July 2012 Critical Patch Update.

Impact:

A remote authenticated user with 'Create Table' privileges can gain 'SYS' privileges on the target system.

Solution:

Patches and relevant information for protecting against this vulnerability can be found in My Oracle Support:  Log In

Addthis