Oracle recently published a security alert warning of a privilege escalation vulnerability in the Oracle Database Server.
"The potential attack vector was initially disclosed at last month's Black Hat conference in Las Vegas," writes CRN's Ken Presti. "'This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without the need for a username and password,' reads the Oracle Security Alert for CVE-2012-3132. 'A remote authenticated user can exploit this vulnerability to gain 'SYS' privileges and impact the confidentiality, integrity and availability of un-patched systems.'"
"Though the flaw is not remotely exploitable by an unauthenticated attacker, it is still considered serious given that a user could gain high-level privileges and take unauthorized actions on the database server," writes Threatpost's Dennis Fisher. "The vulnerability is a SQL-injection weakness in the database server."
"Oracle said that there are a number of its products -- Fusion Middleware, Enterprise Manager, and E-Business Suite -- that include the vulnerability, but some of them may be protected if the customer has installed the July 2012 critical patch update," Infosecurity reports. "'Due to the threat posed by a successful attack, and the public disclosure of the technical details of this vulnerability, Oracle strongly recommends that customers apply this security alert solution as soon as possible,' the company said."