Oracle Enterprise Manager CVE-2012-0525 SQL Injection Vulnerability

Bugtraq ID:	53063
Class:	Input Validation Error
CVE:	CVE-2012-0525
Remote:	Yes
Local:	No
Published:	Apr 17 2012 12:00AM
Updated:	Aug 22 2012 07:10PM
Credit:	Esteban Martinez Fayo of Application Security
Vulnerable:	SuSE Manager (for SLE 11 SP1) 1.2 Oracle Oracle11g Standard Edition 11.2.0.3 Oracle Oracle11g Standard Edition 11.2.0.2.0 Oracle Oracle11g Standard Edition 11.1.0.7 R1 Oracle Oracle11g Enterprise Edition 11.2 2 Oracle Oracle11g Enterprise Edition 11.2.0.3 Oracle Oracle11g Enterprise Edition 11.1.0.7 R1 Oracle Enterprise Manager Grid Control 11G 11.1 1 Oracle Enterprise Manager Grid Control 10g 10.2.0.5
Not Vulnerable:

Oracle Enterprise Manager CVE-2012-0525 SQL Injection Vulnerability

Oracle Enterprise Manager is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.

A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.

This vulnerability affects the following supported versions:
10.2.0.5, 11.1.0.1

Oracle Enterprise Manager CVE-2012-0525 SQL Injection Vulnerability

Attackers can use a browser to exploit this issue.

Oracle Enterprise Manager CVE-2012-0525 SQL Injection Vulnerability

Solution:
Vendor updates are available. Please contact the vendor for more information.

Oracle Enterprise Manager CVE-2012-0525 SQL Injection Vulnerability

References:

• SQL Injection in Oracle Enterprise Manager (searchPage web page) (CVE-2012-0525) (TeamSHATTER)
  
• Oracle Critical Patch Update Advisory - April 2012 (Oracle)