Oracle users should apply a workaround in lieu of a patch for a critical vulnerability revealed in a bug disclosure flap, security experts say.
The vulnerability, which was revealed by security researcher Joxean Koret after he thought it had been patched, affects the TNS Listener component responsible for routing connections from the client to the database server. If exploited, the flaw can enable attackers to intercept any connection between databases and clients without any user authentication.
Koret, who reported the vulnerability in 2008, said in a post on the Full Disclosure mailing list that he published information about the vulnerability after discovering that Oracle had given him credit for uncovering the bug in their “Security-in-depth” program following the release of the company’s latest Critical Patch Update (CPU).
“I asked both Oracle and iSightPartners (the company I sold the vulnerability in 2008) for information about the vulnerability they fixed in this CPU,” he wrote. “Oracle told us that the vulnerability with tracking id #13793589 (the TNS poison vulnerability) was the one fixed.”
However, after questioning Oracle further, Koret discovered the patch for the vulnerability was being planned for future versions of the Oracle Database, and that current installations remain vulnerable.
“There is no patch at all for this vulnerability and Oracle refuses to write a patch for any existing versions, even for Oracle 11g R2,” the researcher wrote. “So, yes, all versions are vulnerable and will remain vulnerable.”
According to the researcher, the explanation the company gave was that the fix was complex and risky to backport and rests in a sensitive part of code where regressions are a concern. Oracle declined a request today by SecurityWeek to respond to Koret’s comments. Still, the company released an advisory about the bug on Monday.
“Since Oracle Fusion Middleware, Oracle Enterprise Manager, Oracle E-Business Suite include the Oracle Database component that is affected by this vulnerability, Oracle recommends that customers apply the solution for this vulnerability to the Oracle Database component,” the advisory states.
Koret, who said the vulnerability affects all versions of the database from Oracle 8i to 11g R2, posted details of a number of workarounds, including setting the following parameter in the listener.ora configuration file: dynamic_registration = off. Details of the workarounds can be found here. Oracle is linking to information about workarounds on their advisory as well.
“We strongly urge all Oracle database customers to pay very close attention to the workaround details outlined in the Oracle Security Alert for CVE-2012-1675, but also offer the advice to not be fooled by the watered down CVSS score of 7.5 that Oracle has assessed this critical vulnerability,” said Alex Rothacker, director of security research for Application Security’s TeamSHATTER research arm. “The consensus across the security research community outside of Oracle assigns this vulnerability with the highest CVSS score possible, 10.0. While this workaround clearly isn’t the answer for a critical vulnerability that was brought to Oracle’s attention in 2008, this is the best course of action for end users to take until Oracle decides it is important enough to patch.”