08 Aug 2012
13 Aug 2012
Oracle Database 10.x
This covers vulnerabilities where a user is able to conduct certain tasks with the privileges of other users or administrative users.
This typically includes cases where a local user on a client or server system can gain access to the administrator or root account thus taking full control of the system.
David Litchfield has reported a vulnerability in Oracle Database, which can be exploited by malicious users to gain escalated privileges.
The vulnerability is caused due to an unspecified error related to the CTXSYS.CONTEXT index. No further information is currently available.
Successful exploitation allows user to gain SYSDBA privileges, but requires CREATE TABLE and CREATE PROCEDURE privileges and EXECUTE privileges on DBMS_STATS.
The vulnerability is reported in versions 10.2.0.3, 10.2.0.4, 10.2.0.5, 126.96.36.199, 188.8.131.52, and 184.108.40.206. Other versions may also be affected.
Update to a fixed version (please see the vendor's advisory for details).
Note: No actions are need for versions 220.127.116.11 and 18.104.22.168 if the July CPU has been applied.