[SingCERT] Oracle Database Lets Remote Users Hijack TNS listener Instance Connections

Last Updated on Thursday, 03 May 2012 18:30

[ Summary ]

Oracle has released a Security Alert for a vulnerability (CVE-2012-1675) in the TNS listener affecting the Oracle Database Server. This vulnerability may be exploitable over the network without authentication. For instance, a remote user can connect to the TNS listener and register an already registered instance to cause the target TNS listener to route connections to the remote user’s database server.

 

[ Affected Products ]

Oracle Database 11g Release 2, versions 11.2.0.2, 11.2.0.3

Oracle Database 11g Release 1, version 11.1.0.7

Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4, 10.2.0.5

Since Oracle Fusion Middleware, Oracle Enterprise Manager, Oracle E-Business Suite include the Oracle Database component that is affected by this vulnerability, Oracle recommends that customers apply the solution for this vulnerability to the Oracle Database component.

 

 

[ Impact Analysis ]

Successful exploitation of these vulnerabilities could allow a remote user to hijack database instance connections.

[ Solution/Workaround ]

Please apply workaround recommended by vendor.

  

[ Reference ]

http://www.oracle.com/technetwork/topics/security/alert-cve-2012-1675-1608180.html

 

 

 

< Prev		Next >