Oracle Security Alert for CVE-2012-3132

Oracle | Hyperion Products

Oracle Security Alert Ref.

Oracle Security Alert for CVE-2012-3132

Latest Version/Date

13/09/2012

Link to Update

http://www.oracle.com/technetwork/topics/security/alert-cve-2012-3132-1721017.html

Last Modified by TGG

13/09/2012

Product Affected

Oracle Database Server versions 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, 11.2.0.3

Note

Versions 11.2.0.2 and 11.2.0.3 do not require patching if the July 2012 Critical Patch Update has been applied.

Oracle Security Alert Summary

Summary as provided by Oracle

This security alert addresses the security issue CVE-2012-3132 - the Privilege Escalation vulnerability in the Oracle Database Server that was recently disclosed at the Black Hat USA 2012 Briefings held in July 2012 involving INDEXTYPE CTXSYS.CONTEXT.

This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without the need for a username and password. A remote authenticated user can exploit this vulnerability to gain 'SYS' privileges and impact the confidentiality, integrity and availability of un-patched systems

Assessment by TGG

If your company uses Oracle as the database back-end to its Hyperion platform, please have your Database Administrator check the alert by viewing the following link to determine if the patch is required:

https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=1480492.1