Oracle Security Alert for CVE-2012-1675

Description

This security alert addresses the security issue CVE-2012-1675, a vulnerability in the TNS listener which has been recently disclosed as "TNS Listener Poison Attack" affecting the Oracle Database Server. This vulnerability may be remotely exploitable without authentication, i.e. it may be exploited over a network without the need for a username and password. A remote user can exploit this vulnerability to impact the confidentiality, integrity and availability of systems that do not have recommended solution applied.

Affected Products and Versions

  • Oracle Database 11g Release 2, versions 11.2.0.2, 11.2.0.3, 11.2.0.4
  • Oracle Database 11g Release 1, version 11.1.0.7
  • Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4, 10.2.0.5

Since Oracle Fusion Middleware, Oracle Enterprise Manager, Oracle E-Business Suite include the Oracle Database component that is affected by this vulnerability, Oracle recommends that customers apply the solution for this vulnerability to the Oracle Database component.

Supported Products and Versions

Security Alert solutions are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. We recommend that customers plan product upgrades to ensure that Security Alert solutions are available for the versions they are currently running.

Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerability addressed by this Security Alert. However, it is likely that earlier versions of affected releases are also affected by this vulnerability.

Supported Database is patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.

Products in Extended Support

Security Alert solutions are available to customers who have purchased Extended Support under the Lifetime Support Policy. Customers must have a valid Extended Support service contract to apply Security Alert solutions for products in the Extended Support Phase.

Solution

Recommendations for protecting against this vulnerability can be found at:

Please note that Oracle has added Oracle Advanced Security SSL/TLS to the Oracle Database Standard Edition license when used with the Real Application Clusters and Oracle has added Oracle Advanced Security SSL/TLS to the Enterprise Edition Real Application Clusters (Oracle RAC) and RAC One Node options so that the directions provided in the Support Notes referenced above can be applied by all Oracle customers without additional cost.

Note: Please refer to the Oracle licensing documentation available on Oracle.com regarding licensing changes that allow Oracle Advanced Security SSL/TLS to be used with Oracle SE Oracle Real Application Clusters and Oracle Enterprise Edition Real Application Customers (Oracle RAC) and Oracle RAC OneNode Options.

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply this Security Alert solution as soon as possible.

References

Modification History

Date Comments
2014-June-20 Rev 3. Added 11.2.0.4 as affected version
2012-May-01 Rev 2. Updated Supported Products and Versions section
2012-April-30 Rev 1. Initial Release

Oracle Database Server Risk Matrix

The English text form of this Risk Matrix can be found here.

CVE# Component Protocol Package and/or Privilege Required Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen­tication Confid­entiality Inte­grity Avail­ability
CVE-2012-1675 Listener Oracle Net None Yes 7.5 Network Low None Partial+ Partial+ Partial 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, 11.2.0.3, 11.2.0.4