SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Database)  >   Oracle Database Vendors:   Oracle
Oracle Database ‘INDEXTYPE CTXSYS.CONTEXT’ Bug Lets Remote Authenticated Users Gain Elevated Privileges
SecurityTracker Alert ID:  1027367
SecurityTracker URL:  http://securitytracker.com/id/1027367
CVE Reference:   CVE-2012-3132   (Links to External Site)
Updated:  Oct 17 2012
Original Entry Date:  Aug 12 2012
Impact:   User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, 11.2.0.3
Description:   A vulnerability was reported in Oracle Database. A remote authenticated user can gain elevated privileges on the target system.

A remote authenticated user with 'Create Table' privileges can send specially crafted data to gain 'SYS' privileges.

Versions 11.2.0.2 and 11.2.0.3 are not affected on systems that have the July 2012 Critical Patch Update.

Oracle Fusion Middleware, Oracle Enterprise Manager, Oracle E-Business Suite include the affected Oracle Database Server component and may be vulnerable.

This vulnerability was reported at Black Hat USA 2012 Briefings.
Impact:   A remote authenticated user with 'Create Table' privileges can gain 'SYS' privileges on the target system.
Solution:   The vendor has issued a fix.

The fix is also included in the October 2012 Oracle Critical Patch Update Advisory.

The vendor's advisories are available at:

http://www.oracle.com/technetwork/topics/security/alert-cve-2012-3132-1721017.html
http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html
Vendor URL:  www.oracle.com/technetwork/topics/security/alert-cve-2012-3132-1721017.html (Links to External Site)
Cause:   Not specified
Underlying OS:   Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), UNIX (Tru64), Windows (NT), Windows (2000), Windows (2003), Windows (2008), Windows (Vista), Windows (XP)

Message History:   None.

 Source Message Contents
Date:  Sun, 12 Aug 2012 16:19:46 +0000
Subject:  Oracle Database Server


http://www.oracle.com/technetwork/topics/security/alert-cve-2012-3132-1721017.html

CVE-2012-3132


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC