Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2012-3137

Overview

Vulnerability Score 6.4 6.4
CVE Id CVE-2012-3137
Last Modified 10 Oct 2013 11:44:25
Published 21 Sep 2012 07:55:01
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2012-3137

Summary

The authentication protocol in Oracle Database Server 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, and 11.2.0.3 allows remote attackers to obtain the session key and salt for arbitrary users, which leaks information about the cryptographic hash and makes it easier to conduct brute force password guessing attacks, aka "stealth password cracking vulnerability."

Vulnerable Systems

Application

  • Oracle Database Server 10.2.0.3

  • Oracle Database Server 10.2.0.4

  • Oracle Database Server 10.2.0.5

  • Oracle Database Server 11.1.0.6

  • Oracle Database Server 11.1.0.7

  • Oracle Database Server 11.2.0.1

  • Oracle Database Server 11.2.0.2

  • Oracle Database Server 11.2.0.3


References

MISC - http://www.darkreading.com/authentication/167901072/security/application-security/240007643/attack-easily-cracks-oracle-database-passwords.html

MISC - http://threatpost.com/en_us/blogs/flaw-oracle-logon-protocol-leads-easy-password-cracking-092012?utm_source=Threatpost&utm_medium=Tabs&utm_campaign=Today%27s+Most+Popular

MISC - http://arstechnica.com/security/2012/09/oracle-database-stealth-password-cracking-vulnerability/

CONFIRM - http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html

EXPLOIT-DB - 22069

MANDRIVA - MDVSA-2013:150


Last Updated: 27 May 2016 11:00:47