TeamSHATTER’s Analysis Of The October 2012 Oracle CPUTeam Shatter Exclusive

Posted October 17, 2012 by TeamSHATTER Admin in Database Security, Oracle, Team Shatter Exclusive with 0 comments

The October 2012 CPU contains 109 fixes across various Oracle product lines. Specifically, Database, Fusion Middleware, Enterprise Manager,  E-Business Suite, Supply Chain, PeopleSoft Enterprise, Siebel, Health Sciences, FLEXCUBE, Sun Products, Virtualization and MySQL.

34 of the fixes in the CPU are for vulnerabilities that are remotely exploitable without authentication.  In other words, anyone on the network can exploit these vulnerabilities. Two products have fixes for vulnerabilities that allow for a complete takeover of the host, Oracle Database and Oracle Fusion Middleware (JRockit).

There are five vulnerabilities fixed in the Oracle Database, two of them were reported by TeamSHATTER members.  The most serious vulnerability affecting the Oracle Database is a remotely exploitable vulnerability which allows an attacker to gain access to the database through a serious flaw in the login system to retrieve and change stored data. Though Oracle closed the issue more than a year ago, they are now issuing a fix in all supported releases.

The fix for this vulnerability comes with some caveats to take into consideration.  After the CPU is applied to Oracle Database servers, the vulnerable logon protocol version 11 will no longer be available.  This may impact the ability of some database clients to connect.  Make sure to read Patching for CVE-2012-3137 [ID 1493990.1] document available at Oracle Support for more information.

Oracle Database Server Vulnerabilities in order of importance/severity:

  • CVE-2012-3137: This is an unauthenticated remotely exploitable vulnerability that allows one to perform efficient password cracking (a.k.a. stealth password cracking vulnerability in logon protocol.)  This is a critical vulnerability that needs to be addressed ASAP.  This issue is credited to TeamShatter’s own Esteban Martinez Fayo.
  • CVE-2012-1751:  This is a SQL Injection vulnerability that allows database users with CREATE FLASHBACK ARCHIVE privileges to elevate to DBA privileges.  This issue is credited to TeamShatter’s own Martin Rakhmanov.
  • CVE-2012-3132: This vulnerability allows database users with CREATE TABLE privileges to elevate to DBA privileges.  The patches included in October CPU supersede Oracle Security Alert for CVE-2012-3132.
  • CVE-2012-3151: This vulnerability is only exploitable locally and affects Unix and Linux (not Windows) and concerns the Integrity and Availability of the Database.
  • CVE-2012-3146: This vulnerability allows database users with CREATE ANY DIRECTORY privilege to affect the Integrity of the Database.

There are also 14 vulnerabilities fixed in MySQL. Two of them are remotely exploitable without authentication and the rest require an authenticated user.

 

Leave a Reply

Name (required)

Mail (will not be published) (required)

Website

Please note: JavaScript is required to post comments.

Powered by