Oracle Database Server OCIPasswordChange API Security Bypass Vulnerability

Bugtraq ID:	53101
Class:	Design Error
CVE:	CVE-2012-0511
Remote:	Yes
Local:	No
Published:	Apr 17 2012 12:00AM
Updated:	Apr 20 2012 01:10PM
Credit:	Esteban Martinez Fayo of Application Security
Vulnerable:	Oracle Oracle11g Standard Edition 11.1.0.7 R1 Oracle Oracle11g Enterprise Edition 11.1.0.7 R1 Oracle Oracle10g Standard Edition 10.2 .3 R2 Oracle Oracle10g Standard Edition 10.2.0.4 R2 Oracle Oracle10g Personal Edition 10.2 .3 R2 Oracle Oracle10g Personal Edition 10.2.0.4 R2 Oracle Oracle10g Enterprise Edition 10.2 .3 R2 Oracle Oracle10g Enterprise Edition 10.2.0.4 R2
Not Vulnerable:

Oracle Database Server OCIPasswordChange API Security Bypass Vulnerability

Oracle Database Server is prone to a security-bypass vulnerability.

An attacker may be able to exploit this issue to aid in brute-force attacks; other attacks may also be possible.

This vulnerability affects the following supported versions:
10.2.0.3, 10.2.0.4, 11.1.0.7

Oracle Database Server OCIPasswordChange API Security Bypass Vulnerability

Currently we are not aware of any working exploits. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].

Oracle Database Server OCIPasswordChange API Security Bypass Vulnerability

Solution:
Vendor updates are available. Please contact the vendor for more information.

Oracle Database Server OCIPasswordChange API Security Bypass Vulnerability

References:

• Some failed authentication attempts using OCIPasswordChange API are not recorded (TeamSHATTER)
  
• Oracle Critical Patch Update Advisory - April 2012 (Oracle)