Eye on Oracle

Aug 21 2012   2:26PM GMT

Oracle fixes database flaw exposed at Black Hat

Mark Fontecchio Mark Fontecchio Profile: Mark Fontecchio

Oracle has issued a security alert fixing flaws in its trademark Oracle Database product that were demonstrated at the Black Hat summit this year.

Our colleagues at SearchSecurity.com were one of the first to report on the Oracle Database security flaws, which database security consultant David Litchfield exposed during a session at Black Hat in July. From the story:

Litchfield, one of the industry’s top database security consultants, demonstrated several proof-of-concept attacks, during which he was able to elevate his privileges to the database administrator (DBA) level, giving him the ability to manipulate database indexing records remotely via SQL injection.

Three of the exploits he demonstrated were able to beat  vulnerabilities reported and patched as long as two years ago:  CVE-2010-0902 (an unspecified OLAP vulnerability), CVE-2010-3512 (an unspecified Core RDBMS component vulnerability) and CVE-2012-0552 (an unspecified Oracle Spatial component vulnerability). He also demonstrated another exploit against an unpatched vulnerability that was reported to MITRE Corp.’s Common Vulnerabilities and Exposures database (CVE).

 Oracle recommended in its recent security alert that the fix should be applied to Oracle Database as soon as possible. The vulnerability affects Oracle Database Server versions 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, and 11.2.0.3.

“Since Oracle Fusion Middleware, Oracle Enterprise Manager, Oracle E-Business Suite include the Oracle Database Server component that is affected by this vulnerability, Oracle recommends that customers apply this fix as soon as possible to the Oracle Database Server component,” the alert stated.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: