Posted by: Mark Fontecchio
Oracle 11g R2
Oracle has issued a security alert fixing flaws in its trademark Oracle Database product that were demonstrated at the Black Hat summit this year.
Our colleagues at SearchSecurity.com were one of the first to report on the Oracle Database security flaws, which database security consultant David Litchfield exposed during a session at Black Hat in July. From the story:
Litchfield, one of the industry’s top database security consultants, demonstrated several proof-of-concept attacks, during which he was able to elevate his privileges to the database administrator (DBA) level, giving him the ability to manipulate database indexing records remotely via SQL injection.
Three of the exploits he demonstrated were able to beat vulnerabilities reported and patched as long as two years ago: CVE-2010-0902 (an unspecified OLAP vulnerability), CVE-2010-3512 (an unspecified Core RDBMS component vulnerability) and CVE-2012-0552 (an unspecified Oracle Spatial component vulnerability). He also demonstrated another exploit against an unpatched vulnerability that was reported to MITRE Corp.’s Common Vulnerabilities and Exposures database (CVE).
Oracle recommended in its recent security alert that the fix should be applied to Oracle Database as soon as possible. The vulnerability affects Oracle Database Server versions 10.2.0.3, 10.2.0.4, 10.2.0.5, 18.104.22.168, 22.214.171.124, and 126.96.36.199.
“Since Oracle Fusion Middleware, Oracle Enterprise Manager, Oracle E-Business Suite include the Oracle Database Server component that is affected by this vulnerability, Oracle recommends that customers apply this fix as soon as possible to the Oracle Database Server component,” the alert stated.