CVE-2012-3132

Name of the Vulnerable Software and Affected Versions Oracle Database Server versions 10.2.0.3 through 10.2.0.5 Oracle Database Server versions 11.1.0.7 Oracle Database Server versions 11.2.0.2 through 11.2.0.3

Description The issue allows remote authenticated users to execute arbitrary SQL commands. This is achieved via vectors involving the CREATE INDEX statement with a CTXSYS.CONTEXT indextype and the DBMS STATS.GATHER TABLE STATS function.

Recommendations For Oracle Database Server versions 10.2.0.3 through 10.2.0.5, update to a version that includes the fix for this issue. For Oracle Database Server version 11.1.0.7, update to a version that includes the fix for this issue. For Oracle Database Server versions 11.2.0.2 through 11.2.0.3, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting the use of the CREATE INDEX statement with a CTXSYS.CONTEXT indextype and the DBMS STATS.GATHER TABLE STATS function until a patch is available.