Oracle Database Authentication Protocol Discloses Session Key Information to Remote Users
Oracle Database 11g Releases 1 and 2
A vulnerability was reported in Oracle Database.
The authentication protocol in Oracle Database 11g 1 and 2 allows remote attackers to obtain the session key and salt for arbitrary users, which leaks information about the cryptographic hash and makes it easier to conduct brute force password guessing attacks, aka "stealth password cracking vulnerability."
A remote user can obtain session key and cryptographic salt information to determine a target user's password.
The vulnerability is reportedly fixed version 12 of the authentication protocol. Administrators must configure the system to use only version 12 of the protocol. No solution was available for version 11.1 of the authentication protocol at the time of this entry. Please visit the Oracle Critical Patch Updates, Security Alerts and Third Party Bulletin for additional information when it becomes available.