製品・ソフトウェアに関する情報

JVN脆弱性詳細

Oracle データベース TNS リスナーに脆弱性

Title	Oracle データベース TNS リスナーに脆弱性
Summary	Oracle データベースコンポーネントの TNS リスナーには、遠隔の第三者が認証なしにデータベースサービスを登録できる脆弱性が存在します。詳しくは、Oracle が提供する Oracle Security Alert for CVE-2012-1675 (http://www.oracle.com/technetwork/topics/security/alert-cve-2012-1675-1608180.html) をご確認ください。
Possible impacts	遠隔の第三者によって、既に登録済みのデータベースインスタンス名を使ってサービスを登録され、中間者攻撃が行なわれる可能性があります。
Solution	2012年5月2日現在、有効な対策はありません。 [ワークアラウンドを実施する] 以下の回避策を適用することで、本脆弱性の影響を軽減することが可能です。 * Class of Secure Transport (COST) を使用し、インスタンス登録を制限する詳しくは、Oracle が提供する Oracle Security Alert for CVE-2012-1675 (http://www.oracle.com/technetwork/topics/security/alert-cve-2012-1675-1608180.html) をご確認ください。
Publication Date	May 2, 2012, midnight
Registration Date	May 8, 2012, 2:04 p.m.
Last Update	June 23, 2014, 10:47 a.m.

CVSS2.0 : 危険
Score	7.5
Vector	AV:N/AC:L/Au:N/C:P/I:P/A:P

Affected System

オラクル

Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4, 10.2.0.5

Oracle Database 11g Release 1, version 11.1.0.7

Oracle Database 11g Release 2, versions 11.2.0.2, 11.2.0.3, 11.2.0.4

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2012-1675	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1675
National Vulnerability Database (NVD)
2	CVE-2012-1675	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1675

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-264	https://jvndb.jvn.jp/ja/cwe/CWE-264.html

ベンダー情報

No	Name	URL
opensuse-security-announce
1	SUSE-SU-2012:0765	http://lists.opensuse.org/opensuse-security-announce/2012-06/msg00018.html
Oracle Security Alert
2	Oracle Security Alert for CVE-2012-1675	http://www.oracle.com/technetwork/topics/security/alert-cve-2012-1675-1608180.html
SECURITY BLOG
3	Security Alert for CVE-2012-1675 Released	https://blogs.oracle.com/security/entry/security_alert_for_cve_2012

その他

No	Name	URL
JVN
1	JVNVU#359816	http://jvn.jp/cert/JVNVU359816
US-CERT Vulnerability Note
2	VU#359816	http://www.kb.cert.org/vuls/id/359816

Change Log

No	Changed Details	Date of change
0	[2012年05月08日] 掲載 [2012年05月11日] CVSS による深刻度：基本値と脆弱性評価基準を追加 CWE による脆弱性タイプ一覧：CWE-ID を追加ベンダ情報：オラクル (Security Alert for CVE-2012-1675 Released) [2012年07月25日] ベンダ情報：openSUSE (SUSE-SU-2012:0765) を追加 [2014年06月23日] 影響を受けるシステム：内容を更新	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2012-1675

Summary	The TNS Listener, as used in Oracle Database 11g 11.1.0.7, 11.2.0.2, and 11.2.0.3, and 10g 10.2.0.3, 10.2.0.4, and 10.2.0.5, as used in Oracle Fusion Middleware, Enterprise Manager, E-Business Suite, and possibly other products, allows remote attackers to execute arbitrary database commands by performing a remote registration of a database (1) instance or (2) service name that already exists, then conducting a man-in-the-middle (MITM) attack to hijack database connections, aka "TNS Poison."
Publication Date	May 9, 2012, 7:55 a.m.
Registration Date	Jan. 28, 2021, 2:56 p.m.
Last Update	Nov. 21, 2024, 10:37 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:oracle:database_server:10.2.0.4:::::::*
cpe:2.3:a:oracle:database_server:10.2.0.3:::::::*
cpe:2.3:a:oracle:database_server:11.2.0.2:::::::*
cpe:2.3:a:oracle:database_server:10.2.0.5:::::::*
cpe:2.3:a:oracle:database_server:11.2.0.4:::::::*
cpe:2.3:a:oracle:database_server:11.2.0.3:::::::*
cpe:2.3:a:oracle:database_server:11.1.0.7:::::::*

Related information, measures and tools

No	URL	タグ
1	http://lists.opensuse.org/opensuse-security-announce/2012-06/msg00018.html	Mailing List Third Party Advisory
2	http://lists.opensuse.org/opensuse-security-announce/2012-06/msg00018.html	Mailing List Third Party Advisory
3	http://seclists.org/fulldisclosure/2012/Apr/204	Exploit Mailing List Third Party Advisory
4	http://seclists.org/fulldisclosure/2012/Apr/204	Exploit Mailing List Third Party Advisory
5	http://seclists.org/fulldisclosure/2012/Apr/343	Mailing List Third Party Advisory
6	http://seclists.org/fulldisclosure/2012/Apr/343	Mailing List Third Party Advisory
7	http://www.kb.cert.org/vuls/id/359816	Third Party Advisory US Government Resource
8	http://www.kb.cert.org/vuls/id/359816	Third Party Advisory US Government Resource
9	http://www.mandriva.com/security/advisories?name=MDVSA-2013:150	Third Party Advisory
10	http://www.mandriva.com/security/advisories?name=MDVSA-2013:150	Third Party Advisory
11	http://www.oracle.com/technetwork/topics/security/alert-cve-2012-1675-1608180.html	Vendor Advisory
12	http://www.oracle.com/technetwork/topics/security/alert-cve-2012-1675-1608180.html	Vendor Advisory
13	http://www.securityfocus.com/bid/53308	Exploit Third Party Advisory VDB Entry
14	http://www.securityfocus.com/bid/53308	Exploit Third Party Advisory VDB Entry
15	http://www.securitytracker.com/id?1027000	Third Party Advisory VDB Entry
16	http://www.securitytracker.com/id?1027000	Third Party Advisory VDB Entry
17	https://blogs.oracle.com/security/entry/security_alert_for_cve_2012	Vendor Advisory
18	https://blogs.oracle.com/security/entry/security_alert_for_cve_2012	Vendor Advisory
19	https://exchange.xforce.ibmcloud.com/vulnerabilities/75303	VDB Entry
20	https://exchange.xforce.ibmcloud.com/vulnerabilities/75303	VDB Entry

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-264	認可・権限・アクセス制御	https://cwe.mitre.org/data/definitions/264.html

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:oracle:database_server:10.2.0.4:::::::*
cpe:2.3:a:oracle:database_server:10.2.0.3:::::::*
cpe:2.3:a:oracle:database_server:11.2.0.2:::::::*
cpe:2.3:a:oracle:database_server:10.2.0.5:::::::*
cpe:2.3:a:oracle:database_server:11.2.0.4:::::::*
cpe:2.3:a:oracle:database_server:11.2.0.3:::::::*
cpe:2.3:a:oracle:database_server:11.1.0.7:::::::*