Patching for CVE-2012-3137
(Doc ID 1493990.1)
Last updated on JANUARY 22, 2020
Applies to:
Oracle WebLogic ServerJDBC
Oracle Fusion Middleware
Oracle Database - Standard Edition - Version 10.2.0.3 to 11.2.0.4 [Release 10.2 to 11.2]
Oracle Database - Enterprise Edition - Version 10.2.0.3 to 11.2.0.4 [Release 10.2 to 11.2]
Information in this document applies to any platform.
Information also applies to Oracle Client installations, including both JDBC and non-JDBC clients
Purpose
Patches have been released as part of the October 2012 CPU program that include fixes to protect against vulnerability CVE-2012-3137. This vulnerability affects Database user accounts using SHA-1 based password verifiers for authentication. SHA-1 based password verifiers are also referred to as “11G” password versions. Database user accounts using a DES based password verifier for authentication are unaffected. DES based password verifiers are also referred to as “10G” password versions.
For most deployments, patching is only necessary for affected Database servers for systems to be protected and continue to function.
For a limited number of deployments, all Database clients and JDBC clients (including WebLogic Server, Fusion Middleware, Enterprise Manager, etc.) must be patched along with the Database Server, otherwise the un-patched clients will fail to connect to a patched server.
This document helps you determine the best approach to apply patches to only the affected system components.
Scope
This document is intended for administrators who intend to patch the Database server, Database clients, JDBC clients (including WebLogic Server, Fusion Middleware, Enterprise Manager etc) with the fix for CVE-2012-3137. You must read this document before applying any such patch.
The fix for vulnerability CVE-2012-3137 is included in all SPUs and PSUs from October 2012 onwards. You are recommended to always use the latest available SPU / PSU / bundle applicable to your platform / version. Please refer to My Oracle Support Document 1454618.1 - Quick Reference to Patch Numbers for Database PSU, SPU(CPU), Bundle Patches and Patchsets for applicable patches.
In the following text the term "patch" denotes any patch that contains the fix for vulnerability CVE-2012-3137.
Tables 1 and 2 below list the Server and Client product versions that may need patching. The fix for CVE-2012-3137 is included in patchset 11.2.0.4, so if you upgrade to patchset 11.2.0.4 from a previosuly unpatched 11.2.0.2 or 11.2.0.3 database version you are also introducing the change and incompatible client versions may be unable to connect if there is no valid 10G password verifier.
| Database / Client Version#1 | Database Server Patching needed ? #2 | JDBC and Non-JDBC Client Patching needed ? #2 |
|---|---|---|
| 11.2.0.3 | Yes | No |
| 11.2.0.2 | Yes | Yes only if mandatory use of SHA-1 based password verifier is required, and optional otherwise |
| 11.1.0.7 | Yes | Yes only if mandatory use of SHA-1 based password verifier is required, and optional otherwise |
| 10.2.0.5 | Yes only if using Enterprise User Security (EUS) and mandatory use of SHA-1 based password verifier is required | Yes for non-JDBC clients and only if mandatory use of SHA-1 based password verifier is required, and optional otherwise |
| 10.2.0.4 | Yes only if using Enterprise User Security (EUS) and mandatory use of SHA-1 based password verifier is required | Yes for non-JDBC clients and only if mandatory use of SHA-1 based password verifier is required, and optional otherwise |
| 10.2.0.3 (z/OS only) | Yes only if using Enterprise User Security (EUS) and mandatory use of SHA-1 based password verifier is required | Yes for non-JDBC clients and only if mandatory use of SHA-1 based password verifier is required, and optional otherwise |
#1 Database version for checking if the server needs patching / Client side required support files (RSF) version for checking if the client side needs patching.
eg: For 11.2.0.2 client talking to 11.2.0.3 database then see the "11.2.0.2" row for the client install and the "11.2.0.3" row for the Database Server.
#2 "Mandatory use of SHA-1" relates to the customers own company policy.
| Product/Version | JDBC Client Patching needed ? #2 | Non-JDBC Client Patching needed ? #2 |
|---|---|---|
|
FMW 11.1.2.1.0 #1 |
Yes only if mandatory use of SHA-1 based password verifier is required and optional otherwise | Yes only if mandatory use of SHA-1 based password verifier is required and optional otherwis |
|
FMW 11.1.1.6.0 and above #1 F&R and IAM 11.1.2.2 and above #1 |
No | Yes only if mandatory use of SHA-1 based password verifier is required and optional otherwise |
| WLS 10.3.6.0 | No | Not Applicable |
| WLS 10.3.5.0 | Yes only if mandatory use of SHA-1 based password verifier is required and optional otherwise | Not Applicable |
| EMCC 12.1.0.1 | Yes only if mandatory use of SHA-1 based password verifier is required and optional otherwise | Yes for EM Agent only if mandatory use of SHA-1 based password verifier is required and optional otherwise |
| EMGC 11.1.0.1 | Yes only if mandatory use of SHA-1 based password verifier is required and optional otherwise | Yes for EM Agent only if mandatory use of SHA-1 based password verifier is required and optional otherwise |
#1 Not ALL of FMW needs a DB Client patch, only the Oracle Identity Management, Portal, Forms, Reports, Discoverer, and Web-Tier Middleware homes
#2 "Mandatory use of SHA-1" relates to the customers own company policy.
Details
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
| Purpose |
| Scope |
| Details |
| Determining Whether Client Patching is Necessary |
| 1) Determine whether the users on the Database server have a DES based password verifier or uses EUS |
| 2) Decide on a patch plan for the Database server |
| 3) Apply the patch |
| Alternatives to Client Patching for Database Servers Using SHA-1 Password Verifiers Exclusively |
| Implications of Patching a Database Server Exclusively Using SHA-1 Password Verifiers |
| Re-enabling Exclusive Use of SHA-1 Password Verifiers |
| Other Considerations |
| References |
| Modification history |
| References |