You are here

U-268: Oracle Database Authentication Protocol Discloses Session Key Information to Remote Users

September 26, 2012 - 6:00am

Addthis

PROBLEM:

Oracle Database Authentication Protocol Discloses Session Key Information to Remote Users

PLATFORM:

Oracle Database 11g Releases 1 and 2

ABSTRACT:

A vulnerability was reported in Oracle Database.

reference LINKS:

Darkreading
Threatpost
Arstechnica
Oracle Security Alerts
SecurityTracker Alert ID:  1027558
CVE-2012-3137

IMPACT ASSESSMENT:

Medium

Discussion:

The authentication protocol in Oracle Database 11g 1 and 2 allows remote attackers to obtain the session key and salt for arbitrary users, which leaks information about the cryptographic hash and makes it easier to conduct brute force password guessing attacks, aka "stealth password cracking vulnerability."

Impact:

A remote user can obtain session key and cryptographic salt information to determine a target user's password.

Solution:

The vulnerability is reportedly fixed version 12 of the authentication protocol. Administrators must configure the system to use only version 12 of the protocol. No solution was available for version 11.1 of the authentication protocol at the time of this entry. Please visit the Oracle Critical Patch Updates, Security Alerts and Third Party Bulletin for additional information when it becomes available.

Addthis