Oracle has recently issued a security update to address a vulnerability identified by David Litchfield and unveiled as part of his “Find me in your database: an examination of index security” presentation at Black Hat USA 2012.
The security hole doesn’t affect 11gR2 databases and it can’t be exploited by a remote attacker who doesn’t possess login credentials and specific privileges, Oracle’s Eric Maurice explained in a blog post
However, if exploited successfully, the flaw - which involves the ‘INDEXTYPE CTXSYS.CONTEXT’ - could allow an attacker to gain “SYS” privileges, which is why customers are recommended to apply this update as soon as possible.
On the other hand, Maurice highlights the importance of responsible disclosure and advises researchers to allow them to make patches available for the issues they uncover before making their details public.
The Security Alert for CVE-2012-3132 is available here