Update for CVE-2012-3132
Last Updated: 2012-09-23 15:33:58 UTC
by Tony Carothers (Version: 1)
In July of this year Oracle sent a vulnerability notification to it's users for the Oracle Security Alert CVE-2012-3132. At the time of the publication of the security bulletin it was noted that this exploit was not remotely exploitable. The remote capabilities, or lack thereof, in this vulnerability was called into question, with a very interesting write up on the Kaspersky Labs Security News Service. Many organizations I have worked with would initially deem this a very low risk, due to the lack of remote capabilities, so it may be time for a reassessment of the risk.
I am not on the Oracle Security newsfeeds, so if anybody has a notification from Oracle that they are permitted to share, we would love to help get the word out.
tony d0t carothers - gmail
CVE-2012-3132 is a privilege escalation from an account with certain limited abilities with respect to CTXSYS.CONTEXT.
The new one posted on the Kaspersky blog, if I understand it correctly, involves the ability of and unauthenticated attacker to gather enough information to do off-line password cracking, without having to even sniff a successful logon by someone who does have a valid password.
That latter point is important - it's apparently been known since 2007 that sniffing a single successful authentication already provided enough data for offline cracking (http://www.soonerorlater.hu/index.khtml?article_id=512)
Sep 24th 2012
1 decade ago