Vulnerability CVE-2006-0270

Vulnerability Name:

CVE-2006-0270 (CCN-24186)

Assigned:

2006-01-18

Published:

2006-01-18

Updated:

2018-10-19

Summary:

Unspecified vulnerability in the Transparent Data Encryption (TDE) Wallet component of Oracle Database server 10.2.0.1 has unspecified impact and attack vectors, as identified by Oracle Vuln# DB27.
Note: Oracle has not disputed a reliable researcher report that TDA stores the master key without encryption, which allows local users to obtain the key via the SGA.

CVSS v3 Severity:

2.8 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): None Availibility (A): None

CVSS v2 Severity:

10.0 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C)
8.7 High (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Access Complexity (AC): Authentication (Au):
Impact Metrics:	Confidentiality (C): Integrity (I): Availibility (A):

1.7 Low (CCN CVSS v2 Vector: AV:L/AC:L/Au:S/C:P/I:N/A:N)
1.5 Low (CCN Temporal CVSS v2 Vector: AV:L/AC:L/Au:S/C:P/I:N/A:N/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Access Complexity (AC): Athentication (Au):
Impact Metrics:	Confidentiality (C): Integrity (I): Availibility (A):

Vulnerability Type:

CWE-noinfo
CWE-310

Vulnerability Consequences:

Other

References:

Source: CCN
Type: Full-Disclosure Mailing List, Tue Jan 17 2006 - 14:32:55 CST
Oracle Database 10g Rel. 2- Transparent Data Encryption plaintext masterkey in SGA

Source: MITRE
Type: CNA
CVE-2006-0270

Source: CCN
Type: SA18493
Oracle Products Multiple Vulnerabilities and Security Issues

Source: SECUNIA
Type: Vendor Advisory
18493

Source: CCN
Type: SA18608
HP Oracle for Openview Multiple Vulnerabilities

Source: SECUNIA
Type: Vendor Advisory
18608

Source: CCN
Type: SECTRACK ID: 1015499
Oracle Database and Other Products Have Multiple Unspecified Vulnerabilities With Unspecified Impact

Source: SECTRACK
Type: UNKNOWN
1015499

Source: CCN
Type: US-CERT VU#545804
Oracle products contain multiple vulnerabilities

Source: CERT-VN
Type: US Government Resource
VU#545804

Source: CCN
Type: Oracle Web site
Oracle Critical Patch Update Advisory - January 2006

Source: CONFIRM
Type: UNKNOWN
http://www.oracle.com/technetwork/topics/security/cpujan2006-082403.html

Source: MISC
Type: UNKNOWN
http://www.red-database-security.com/advisory/oracle_tde_unencrypted_sga.html

Source: BUGTRAQ
Type: UNKNOWN
20060117 Oracle Database 10g Rel. 2- Transparent Data Encryption plaintext masterkey in SGA

Source: BID
Type: UNKNOWN
16287

Source: CCN
Type: BID-16287
Oracle January Security Update Multiple Vulnerabilities

Source: VUPEN
Type: Vendor Advisory
ADV-2006-0243

Source: VUPEN
Type: Vendor Advisory
ADV-2006-0323

Source: XF
Type: UNKNOWN
oracle-sga-masterkey-plaintext(24186)

Source: XF
Type: UNKNOWN
oracle-sga-masterkey-plaintext(24186)

Source: XF
Type: UNKNOWN
oracle-january2006-update(24321)

Vulnerable Configuration:

Configuration 1:

cpe:/a:oracle:database_server:10.2.0.1:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:oracle:database_server:10.2.0.1:r2:*:*:*:*:*:*

Denotes that component is vulnerable