CVE-2012-3137

EUVD-2012-3115
The authentication protocol in Oracle Database Server 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, and 11.2.0.3 allows remote attackers to obtain the session key and salt for arbitrary users, which leaks information about the cryptographic hash and makes it easier to conduct brute force password guessing attacks, aka "stealth password cracking vulnerability."
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.4 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:N/C:P/I:P/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 97%
Affected Products (NVD)
VendorProductVersion
oracledatabase_server
10.2.0.3
oracledatabase_server
10.2.0.4
oracledatabase_server
10.2.0.5
oracledatabase_server
11.1.0.7
oracledatabase_server
11.2.0.2
oracledatabase_server
11.2.0.3
oracleprimavera_p6_enterprise_project_portfolio_management
8.2
oracleprimavera_p6_enterprise_project_portfolio_management
8.3
oracleprimavera_p6_enterprise_project_portfolio_management
8.4
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://arstechnica.com/security/2012/09/oracle-database-stealth-password-cracking-vulnerability/
http://threatpost.com/en_us/blogs/flaw-oracle-logon-protocol-leads-easy-password-cracking-092012?utm_source=Threatpost&utm_medium=Tabs&utm_campaign=Today%27s+Most+Popular
http://www.darkreading.com/authentication/167901072/security/application-security/240007643/attack-easily-cracks-oracle-database-passwords.html
http://www.exploit-db.com/exploits/22069
http://www.mandriva.com/security/advisories?name=MDVSA-2013:150
http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html
http://www.securityfocus.com/bid/55651
http://arstechnica.com/security/2012/09/oracle-database-stealth-password-cracking-vulnerability/
http://threatpost.com/en_us/blogs/flaw-oracle-logon-protocol-leads-easy-password-cracking-092012?utm_source=Threatpost&utm_medium=Tabs&utm_campaign=Today%27s+Most+Popular
http://www.darkreading.com/authentication/167901072/security/application-security/240007643/attack-easily-cracks-oracle-database-passwords.html
http://www.exploit-db.com/exploits/22069
http://www.mandriva.com/security/advisories?name=MDVSA-2013:150
http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html
http://www.securityfocus.com/bid/55651