Oracle is warning customers about a vulnerability in the ubiquitous Oracle Database Server that can allow an attacker to gain complete control of the affected server. The CVE-2012-3132 vulnerability is not remotely exploitable by an unauthenticated user.
The company said that there are a number of its products that include the vulnerability, but some of them may be protected if the customer has installed the July 2012 critical patch update.
“This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without the need for a username and password. A remote authenticated user can exploit this vulnerability to gain ‘SYS’ privileges and impact the confidentiality, integrity and availability of un-patched systems,” Oracle said in its advisory.
“Since Oracle Fusion Middleware, Oracle Enterprise Manager, Oracle E-Business Suite include the Oracle Database Server component that is affected by this vulnerability, Oracle recommends that customers apply this fix as soon as possible to the Oracle Database Server component.”
The vulnerability, which affects several Oracle Database Server versions, originally was disclosed at Black Hat last month. Though the flaw is not remotely exploitable by an unauthenticated attacker, it is still considered serious given that a user could gain high-level privileges and take unauthorized actions on the database server. The vulnerability is a SQL-injection weakness in the database server.
“SQL injection vulnerability in Oracle Database Server 10.2.0.3, 10.2.0.4, 10.2.0.5, 220.127.116.11, 18.104.22.168, and 22.214.171.124 allows remote authenticated users to execute arbitrary SQL commands via vectors involving CREATE INDEX with a CTXSYS.CONTEXT INDEXTYPE and DBMS_STATS.GATHER_TABLE_STATS,” NIST said in its vulnerability note.