Eye on Oracle

Aug 21 2012   2:26PM GMT

Oracle fixes database flaw exposed at Black Hat

Mark Fontecchio Mark Fontecchio Profile: Mark Fontecchio

Oracle has issued a security alert fixing flaws in its trademark Oracle Database product that were demonstrated at the Black Hat summit this year.

Our colleagues at SearchSecurity.com were one of the first to report on the Oracle Database security flaws, which database security consultant David Litchfield exposed during a session at Black Hat in July. From the story:

Litchfield, one of the industry’s top database security consultants, demonstrated several proof-of-concept attacks, during which he was able to elevate his privileges to the database administrator (DBA) level, giving him the ability to manipulate database indexing records remotely via SQL injection.

Three of the exploits he demonstrated were able to beat  vulnerabilities reported and patched as long as two years ago:  CVE-2010-0902 (an unspecified OLAP vulnerability), CVE-2010-3512 (an unspecified Core RDBMS component vulnerability) and CVE-2012-0552 (an unspecified Oracle Spatial component vulnerability). He also demonstrated another exploit against an unpatched vulnerability that was reported to MITRE Corp.’s Common Vulnerabilities and Exposures database (CVE).

 Oracle recommended in its recent security alert that the fix should be applied to Oracle Database as soon as possible. The vulnerability affects Oracle Database Server versions,,,,, and

“Since Oracle Fusion Middleware, Oracle Enterprise Manager, Oracle E-Business Suite include the Oracle Database Server component that is affected by this vulnerability, Oracle recommends that customers apply this fix as soon as possible to the Oracle Database Server component,” the alert stated.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: