Internet threat level: 1
Home→Descriptions→SA50143
Oracle Database CTXSYS.CONTEXT Index Privilege Escalation Vulnerability
| Secunia ID | |
| CVE-ID | |
| Release Date |
08 Aug 2012 |
| Last Change |
13 Aug 2012 |
| Criticality | |
| Solution Status |
Vendor Patch |
| Software |
Oracle Database 10.x |
| Where | |
| Impact |
Privilege escalationThis covers vulnerabilities where a user is able to conduct certain tasks with the privileges of other users or administrative users. This typically includes cases where a local user on a client or server system can gain access to the administrator or root account thus taking full control of the system. |
| Description |
David Litchfield has reported a vulnerability in Oracle Database, which can be exploited by malicious users to gain escalated privileges. The vulnerability is caused due to an unspecified error related to the CTXSYS.CONTEXT index. No further information is currently available. Successful exploitation allows user to gain SYSDBA privileges, but requires CREATE TABLE and CREATE PROCEDURE privileges and EXECUTE privileges on DBMS_STATS. The vulnerability is reported in versions 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, and 11.2.0.3. Other versions may also be affected. |
| Solution |
Update to a fixed version (please see the vendor's advisory for details). Note: No actions are need for versions 11.2.0.2 and 11.2.0.3 if the July CPU has been applied. |
| Reported by |
David Litchfield |
| Original Advisory |
Oracle: Team SHATTER: |
© 1997-2013 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.
The authors' opinions do not necessarily reflect the official positions of Kaspersky Lab.