Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2012-3137

The authentication protocol in Oracle Database Server 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, and 11.2.0.3 allows remote attackers to obtain the session key and salt for arbitrary users, which leaks information about the cryptographic hash and makes it easier to conduct brute force password guessing attacks, aka "stealth password cracking vulnerability."

Published

2012-09-21T23:55:01.230

Last Modified

2025-04-11T00:51:21.963

Status

Deferred

Source

[email protected]

Severity

CVSSv2: 6.4 (MEDIUM)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:P/A:N

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

10.0

Impact Score

4.9

Weaknesses

Type: Primary
CWE-287

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	oracle	database_server	10.2.0.3	Yes
Application	oracle	database_server	10.2.0.4	Yes
Application	oracle	database_server	10.2.0.5	Yes
Application	oracle	database_server	11.1.0.7	Yes
Application	oracle	database_server	11.2.0.2	Yes
Application	oracle	database_server	11.2.0.3	Yes
Application	oracle	primavera_p6_enterprise_project_portfolio_management	8.2	Yes
Application	oracle	primavera_p6_enterprise_project_portfolio_management	8.3	Yes
Application	oracle	primavera_p6_enterprise_project_portfolio_management	8.4	Yes

References

http://arstechnica.com/security/2012/09/oracle-database-stealth-password-cracking-vulnerability/ Press/Media Coverage ([email protected])
http://threatpost.com/en_us/blogs/flaw-oracle-logon-protocol-leads-easy-password-cracking-092012?utm_source=Threatpost&utm_medium=Tabs&utm_campaign=Today%27s+Most+Popular Press/Media Coverage ([email protected])
http://www.darkreading.com/authentication/167901072/security/application-security/240007643/attack-easily-cracks-oracle-database-passwords.html Press/Media Coverage ([email protected])
http://www.exploit-db.com/exploits/22069 Exploit, Third Party Advisory, VDB Entry ([email protected])
http://www.mandriva.com/security/advisories?name=MDVSA-2013:150 Broken Link ([email protected])
http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html Patch, Vendor Advisory ([email protected])
http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html Patch, Vendor Advisory ([email protected])
http://www.securityfocus.com/bid/55651 ([email protected])
http://arstechnica.com/security/2012/09/oracle-database-stealth-password-cracking-vulnerability/ Press/Media Coverage (af854a3a-2127-422b-91ae-364da2661108)
http://threatpost.com/en_us/blogs/flaw-oracle-logon-protocol-leads-easy-password-cracking-092012?utm_source=Threatpost&utm_medium=Tabs&utm_campaign=Today%27s+Most+Popular Press/Media Coverage (af854a3a-2127-422b-91ae-364da2661108)
http://www.darkreading.com/authentication/167901072/security/application-security/240007643/attack-easily-cracks-oracle-database-passwords.html Press/Media Coverage (af854a3a-2127-422b-91ae-364da2661108)
http://www.exploit-db.com/exploits/22069 Exploit, Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
http://www.mandriva.com/security/advisories?name=MDVSA-2013:150 Broken Link (af854a3a-2127-422b-91ae-364da2661108)
http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/bid/55651 (af854a3a-2127-422b-91ae-364da2661108)