Analysis of the April 2012 CPU for the Oracle Database

Monday, April 23, 2012

Alexander Rothacker


It’s mid-April, so it’s Oracle CPU fallout time again. This April 2012 CPU contains 88 fixes across various Oracle product lines.

Specifically, Database, Fusion Middleware, Enterprise Manager, E-Business Suite, Supply Chain, PeopleSoft, Siebel Health Sciences, Financial Services, Primavera, various Sun products and MySQL .

Thirty-three of the fixes in this CPU are for vulnerabilities that are remotely exploitable without authentication. In other words, anybody on the network can exploit these vulnerabilities. Three of the product lines have fixes for vulnerabilities that allow for a complete takeover of the host, Database, Fusion Middleware (JRockit) and Oracle Grid Engine.

I’m happy to say that Oracle was able to fix 12 Database related fixes. Six in the Database itself and another six in Oracle Enterprise Manager. Let’s hope this will break the trend of declining fixes for Oracle’s flagship Database product.

This CPU fixed eight issues that were reported to Oracle by TeamSHATTER’s own Esteban Martinez Fayo. One of these issues was reported to Oracle in October of 2009, that’s the part that I’m not so happy about.

Oracle Database Server Vulnerabilities in order of importance/severity:

  • CVE-2012-0552: This vulnerability is a stack based buffer overflow that allows for a complete takeover of the machine hosting the Oracle Database on Windows and full takeover of the Database on other operating systems, which for all practical purposes is equivalent to a full takeover of the host. It’s in the Oracle Spatial component and as such can be mitigated by removing Spatial from the Database installation if not required. It also requires slightly elevated privileges, the kind a developer would usually have.
  • CVE-2012-0519: This vulnerability affects installations on Windows only and allows a complete takeover of the host and database. A possible workaround is to remove the MS C runtime (msvcrt71.dll) from the Oracle 11gR2 home directory (bin). Testing should be done before implementing this workaround.
  • CVE-2012-0511: Again, this is remotely exploitable without authentication. This vulnerability allows an attacker to brute force passwords while leaving only a minimal audit trail. The nature of CVSS makes a vulnerability like this look at lot less severe than it is in real live. Must patch ASAP.
  • CVE-2012-0528: Allows an attacker to reuse an existing session ID. This is an Enterprise Manager only vulnerability that can only be exploited in shared terminal environments.
  • CVE-2012-0512, CVE-2012-0525: Are both SQL Injection vulnerabilities that allow a user to elevate privileges and execute SQL functions as SYSMAN. Users of Enterprise Manager should patch this ASAP.
  • CVE-2012-1708: Only Application Express is affected by this vulnerability, that allows anybody with access to the network to affect the integrity of the database.
  • CVE-2012-0526, CVE-2012-0527: Allow for response splitting attacks in the Enterprise Manager Database control. Both allow an unauthenticated attacker to steal a user’s session and thus compromise the confidentiality and integrity of the database. This is in Enterprise Manager and only requires patching if Enterprise Manager is installed and used. I disagree with Oracle on the CVSS score of this vulnerability since it has a partial confidentiality impact. CVSS is 5.8.
  • CVE-2012-0520: This vulnerabilities allows for a remote, unauthenticated attacker to affect the integrity of the database. This is in Enterprise Manager and only requires patching if Enterprise Manager is installed and used.
  • CVE-2012-0534: Is a vulnerability in the RDBMS Core that allows any authenticated user to affect the integrity of the Database. There is no workaround, so patch now.
  • CVE-2012-0510: Allows an attacker unlimited attempts to change passwords for locked accounts. Locked accounts should not be allowed to change passwords at all. This vulnerability is of lower risk since it requires for the attacker to know the current password.

There are also 6 vulnerabilities fixed in MySQL. All of them only affect the availability of the server and all require an authenticated user. Critical systems that should be fixed quickly, if availability is not crucial these systems should be fixed soon, but at a lower priority.

Cross posted from TeamSHATTER

Possibly Related Articles:
Industrial Control Systems
Databases Oracle Application Security Vulnerabilities Exploits Network Security MySQL Critical Patch Updates CPU
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.