Oracle has closed a security hole that could have allowed attackers to compromise its flagship relational database.
Oracle has issued a fix for a security weakness in its
database product that was disclosed at the Black Hat security conference in
July in Las Vegas.
At the conference, Oracle database security guru David
Litchfield of Accuvant Labs outlined CVE-2012-3132, a vulnerability in the
Oracle database server. The issue was one of multiple attacks that Litchfield
demonstrated against the Oracle indexing architecture. The flaw allows
authenticated remote users to execute arbitrary SQL commands via vectors
involving CREATE INDEX with a CTXSYS.CONTEXT INDEXTYPE and
While it is not exploitable by remote unauthenticated users,
an attacker could exploit the issue as part of a privilege escalation attack
and gain 'SYS' privileges.
"Patches and relevant information for protecting against this vulnerability
can be found in My Oracle Support Note 1480492.1," Oracle
explained in a security advisory
. "Mitigations for this issue for
Oracle Database Server versions 9i through 11gR2 can be found in My Oracle Support Note 1482694.1.
Due to the threat posed
by a successful attack and the public disclosure of the technical details of
this vulnerability, Oracle strongly recommends that customers apply this
Security Alert solution as soon as possible."
The issue impacts versions 10.2.0.3, 10.2.0.4, 10.2.0.5,
220.127.116.11, 18.104.22.168 and 22.214.171.124 of the Oracle database server. According to the
company, versions 126.96.36.199 and 188.8.131.52 do not require patching if the July
2012 Critical Patch Update has been applied.
"Since Oracle Fusion Middleware, Oracle Enterprise
Manager, Oracle E-Business Suite include the Oracle Database Server component
that is affected by this vulnerability, Oracle recommends that customers apply
this fix as soon as possible to the Oracle Database Server component,"
according to Oracle.
For older systems such as Oracle 8i, the company released a
workaround with instructions on how to create a database trigger that prevents
the creation of a database object required to exploit this vulnerability,
explained Alex Rothacker, director of security research for Application
"Since this vulnerability allows a full takeover of the
database, SHATTER would give this vulnerability a CVSSv2 score of 9. This is a
very high-risk vulnerability, with publicly available exploit code," he
said. "Organizations should apply the patches released by Oracle ASAP, and
if they are running a version of Oracle for which a patch is not available,
they should immediately implement the workaround released by Oracle. A good
database activity monitoring solution with the proper attack signatures can
also help in identifying and preventing an attack using this