Oracle stressed that the vulnerability, disclosed at the Black Hat conference, is not remotely exploitable by an unauthenticated user. However, a “remote authenticated user can exploit this vulnerability to gain 'SYS' privileges and impact the confidentiality, integrity and availability of un-patched systems”, the company explained in its security advisory.
Oracle said that there are a number of its products – Fusion Middleware, Enterprise Manager, and E-Business Suite – that include the vulnerability, but some of them may be protected if the customer has installed the July 2012 critical patch update.
“Due to the threat posed by a successful attack, and the public disclosure of the technical details of this vulnerability, Oracle strongly recommends that customers apply this security alert solution as soon as possible”, the company said.
Referring to the public disclosure of the vulnerability, Eric Maurice, director of software security assurance at Oracle, wrote in a blog: “It is unfortunate when the technical details of a security vulnerability are disclosed before a fix could be made available, especially when the disruption resulting from having to deal with an unplanned patch, and the amount of time required by customers to apply the patch, may yield less of a security posture improvement than other security efforts, such as ongoing hardening and auditing.”