CVE-2012-3137
First published: Fri Sep 21 2012(Updated: )
The authentication protocol in Oracle Database Server 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, and 11.2.0.3 allows remote attackers to obtain the session key and salt for arbitrary users, which leaks information about the cryptographic hash and makes it easier to conduct brute force password guessing attacks, aka "stealth password cracking vulnerability."
Credit: secalert_us@oracle.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Oracle Database | =10.2.0.3 | |
| Oracle Database | =10.2.0.4 | |
| Oracle Database | =10.2.0.5 | |
| Oracle Database | =11.1.0.7 | |
| Oracle Database | =11.2.0.2 | |
| Oracle Database | =11.2.0.3 | |
| Oracle Primavera P6 Enterprise Project Portfolio Management | =8.2 | |
| Oracle Primavera P6 Enterprise Project Portfolio Management | =8.3 | |
| Oracle Primavera P6 Enterprise Project Portfolio Management | =8.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://arstechnica.com/security/2012/09/oracle-database-stealth-password-cracking-vulnerability/
- http://threatpost.com/en_us/blogs/flaw-oracle-logon-protocol-leads-easy-password-cracking-092012?utm_source=Threatpost&utm_medium=Tabs&utm_campaign=Today%27s+Most+Popular
- http://www.darkreading.com/authentication/167901072/security/application-security/240007643/attack-easily-cracks-oracle-database-passwords.html
- http://www.exploit-db.com/exploits/22069
- http://www.mandriva.com/security/advisories?name=MDVSA-2013:150
- http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
- http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html
- http://www.securityfocus.com/bid/55651
Frequently Asked Questions
What is the severity of CVE-2012-3137?
CVE-2012-3137 has been classified as a high severity vulnerability due to its potential for allowing unauthorized access to user credentials.
How do I fix CVE-2012-3137?
To fix CVE-2012-3137, it is essential to update Oracle Database to a patched version that addresses this vulnerability.
What platforms are affected by CVE-2012-3137?
CVE-2012-3137 affects various versions of Oracle Database including 10.2.0.3 to 10.2.0.5 and 11.1.0.7 to 11.2.0.3.
What types of attacks can be executed due to CVE-2012-3137?
CVE-2012-3137 enables attackers to conduct brute force password cracking, compromising user sessions and credentials.
Is CVE-2012-3137 specific to certain Oracle products?
Yes, CVE-2012-3137 specifically affects Oracle Database and Oracle Primavera P6 Enterprise Project Portfolio Management versions stated in the vulnerability details.
- agent/references
- agent/type
- agent/remedy
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/author
- agent/weakness
- agent/severity
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/oracle
- canonical/oracle database
- version/oracle database/10.2.0.3
- version/oracle database/10.2.0.4
- version/oracle database/10.2.0.5
- version/oracle database/11.1.0.7
- version/oracle database/11.2.0.2
- version/oracle database/11.2.0.3
- canonical/oracle primavera p6 enterprise project portfolio management
- version/oracle primavera p6 enterprise project portfolio management/8.2
- version/oracle primavera p6 enterprise project portfolio management/8.3
- version/oracle primavera p6 enterprise project portfolio management/8.4