Bug 859935 (CVE-2012-3137)

Summary: CVE-2012-3137 oracle-server: Authentication protocol allows session key and salt for arbitrary users ("stealth password cracking vulnerability")
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: jpazdziora, mmraka
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-09-24 14:00:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 859939    

Description Jan Lieskovsky 2012-09-24 12:34:57 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2012-3137 to the following vulnerability:

The authentication protocol in Oracle Database 11g 1 and 2 allows remote attackers to obtain the session key and salt for arbitrary users, which leaks information about the cryptographic hash and makes it easier to conduct brute force password guessing attacks, aka "stealth password cracking vulnerability."

References:
[1] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3137
[2] http://www.darkreading.com/authentication/167901072/security/application-security/240007643/attack-easily-cracks-oracle-database-passwords.html
[3] http://threatpost.com/en_us/blogs/flaw-oracle-logon-protocol-leads-easy-password-cracking-092012?utm_source=Threatpost&utm_medium=Tabs&utm_campaign=Today%27s+Most+Popular
[4] http://arstechnica.com/security/2012/09/oracle-database-stealth-password-cracking-vulnerability/

Comment 1 Jan Lieskovsky 2012-09-24 12:36:58 UTC
Other references:
[5] http://www.ekoparty.org/eng/2012/esteban-fayo.php

Comment 5 Jan Lieskovsky 2012-09-24 14:00:04 UTC
Statement:

Not vulnerable. This issue did not affect the version of the oracle-server package as shipped with Red Hat Network Satellite 5.4.