Oracle To Issue Patch To Close Vulnerability In Database Server, Other Products

earlier patch that Oracle released last month

The potential attack vector was initially disclosed at last month's Black Hat conference in Las Vegas.

"This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without the need for a username and password," reads the Oracle Security Alert for CVE-2012-3132. "A remote authenticated user can exploit this vulnerability to gain 'SYS' privileges and impact the confidentiality, integrity and availability of un-patched systems."

[Related: A Sneak Peek At Microsoft's August Patch Tuesday ]

However, the exploit is listed as having "low complexity," indicating that someone without extensive technical expertise could make the attack.

id
unit-1659132512259
type
Sponsored post

Affected versions of Oracle Database Server include 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2 and 11.2.0.3. Earlier versions that are no longer under vendor support are likely to be affected as well.

The company says versions 11.2.0.2 and 11.2.0.3 do not require patching if the July 2012 Critical Patch Update has been applied.

Oracle recommends that customers apply the patches as soon as possible.

The expected Oracle patches will coincide with Microsoft's Patch Tuesday, which occurs on the second Tuesday of every month. This month's Microsoft dispatch includes nine bulletins, five of which are rated as critical, with the remaining four rated as important.

For the sake of efficiency, IT managers and channel partners are being urged to merge patches from both vendors into a combined, high-priority workflow.

Published Aug. 13, 2012