Qualys Blog

www.qualys.com
wkandek

Oracle releases OOB Patch for 0-day Vulnerability

Oracle provided today an out-of-band (OOB) patch for a vulnerability (CVE-2012-3132) released at the Black Hat 2012 conference just two weeks ago. In his talk "Find me in your Database" David Litchfield had looked into several known Oracle indexing vulnerabilities and also disclosed a completely new vulnerability that he had found during his research. This 0-day vulnerability can be used to take control over a database, provided the attacker has user level access to the database (i.e. an account on the database) and certain packages are installed. Unfortunately all of the required packages are present by default, so the only systems immune to the attack would be systems where the database administrator (DBA) has pruned packages that are not in use. More information on the vulnerability can be found in this blog post by Alex Rothacker of Team Shatter.

Kudos to Oracle for the remarkably quick turnaround.

Leave a Reply