Oracle Database Server CVE-2012-0528 Remote Session Fixation Vulnerability

Bugtraq ID:	53089
Class:	Unknown
CVE:	CVE-2012-0528
Remote:	Yes
Local:	No
Published:	Apr 18 2012 12:00AM
Updated:	Apr 19 2012 10:30PM
Credit:	Esteban Martinez Fayo of Application Security Inc
Vulnerable:	Oracle Oracle11g Standard Edition 11.1.0.7 R1 Oracle Oracle11g Enterprise Edition 11.1.0.7 R1 Oracle Oracle10g Standard Edition 10.2 .5 Oracle Oracle10g Standard Edition 10.2 .3 R2 Oracle Oracle10g Standard Edition 10.2.0.4 R2 Oracle Oracle10g Personal Edition 10.2 .5 Oracle Oracle10g Personal Edition 10.2 .3 R2 Oracle Oracle10g Personal Edition 10.2.0.4 R2 Oracle Oracle10g Enterprise Edition 10.2 .5 Oracle Oracle10g Enterprise Edition 10.2 .3 R2 Oracle Oracle10g Enterprise Edition 10.2.0.4 R2
Not Vulnerable:

Oracle Database Server CVE-2012-0528 Remote Session Fixation Vulnerability

Oracle Database Server is prone to a session fixation vulnerability in Enterprise Manager Base Platform.

The vulnerability can be exploited over the 'HTTP' protocol. The 'Security Framework' sub component is affected.

An attacker can exploit this issue to hijack an arbitrary session and gain unauthorized access to the affected application.

Oracle Database Server CVE-2012-0528 Remote Session Fixation Vulnerability

To exploit these issues an attacker entices an unsuspecting user into following a malicious URI.

Oracle Database Server CVE-2012-0528 Remote Session Fixation Vulnerability

Solution:
Vendor updates are available. Please contact the vendor for more information.

Oracle Database Server CVE-2012-0528 Remote Session Fixation Vulnerability

References:

• Oracle Critical Patch Update Advisory - April 2012 (Oracle)
  
• Oracle Enterprise Manager vulnerable to Session fixation. (Team Shatter)