Oracle is expected to issue a patch on Tuesday that is designed to close a privilege escalation and control vulnerability in at least six versions of Oracle Database Server. The Redwood City, Calif.-based software company has also indicated that a number of other products, including Oracle Fusion Middleware, Oracle Enterprise Manager and Oracle E-Business Suite, may also have the same vulnerability, but some customers may be protected through the installation of an earlier patch that Oracle released last month.
The potential attack vector was initially disclosed at last month's Black Hat conference in Las Vegas.
"This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without the need for a username and password," reads the Oracle Security Alert for CVE-2012-3132. "A remote authenticated user can exploit this vulnerability to gain 'SYS' privileges and impact the confidentiality, integrity and availability of un-patched systems."
However, the exploit is listed as having "low complexity," indicating that someone without extensive technical expertise could make the attack.
Affected versions of Oracle Database Server include 10.2.0.3, 10.2.0.4, 10.2.0.5, 184.108.40.206, 220.127.116.11 and 18.104.22.168. Earlier versions that are no longer under vendor support are likely to be affected as well.
The company says versions 22.214.171.124 and 126.96.36.199 do not require patching if the July 2012 Critical Patch Update has been applied.
Oracle recommends that customers apply the patches as soon as possible.
The expected Oracle patches will coincide with Microsoft's Patch Tuesday, which occurs on the second Tuesday of every month. This month's Microsoft dispatch includes nine bulletins, five of which are rated as critical, with the remaining four rated as important.
For the sake of efficiency, IT managers and channel partners are being urged to merge patches from both vendors into a combined, high-priority workflow.
Published Aug. 13, 2012