Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Oracle Database Vulnerability Flap Exposes Customers to Attack

Oracle users should apply a workaround in lieu of a patch for a critical vulnerability revealed in a bug disclosure flap, security experts say.

Oracle users should apply a workaround in lieu of a patch for a critical vulnerability revealed in a bug disclosure flap, security experts say.

The vulnerability, which was revealed by security researcher Joxean Koret after he thought it had been patched, affects the TNS Listener component responsible for routing connections from the client to the database server. If exploited, the flaw can enable attackers to intercept any connection between databases and clients without any user authentication.

Oracle LogoKoret, who reported the vulnerability in 2008, said in a post on the Full Disclosure mailing list that he published information about the vulnerability after discovering that Oracle had given him credit for uncovering the bug in their “Security-in-depth” program following the release of the company’s latest Critical Patch Update (CPU).

“I asked both Oracle and iSightPartners (the company I sold the vulnerability in 2008) for information about the vulnerability they fixed in this CPU,” he wrote. “Oracle told us that the vulnerability with tracking id #13793589 (the TNS poison vulnerability) was the one fixed.”

However, after questioning Oracle further, Koret discovered the patch for the vulnerability was being planned for future versions of the Oracle Database, and that current installations remain vulnerable.

“There is no patch at all for this vulnerability and Oracle refuses to write a patch for any existing versions, even for Oracle 11g R2,” the researcher wrote. “So, yes, all versions are vulnerable and will remain vulnerable.”

According to the researcher, the explanation the company gave was that the fix was complex and risky to backport and rests in a sensitive part of code where regressions are a concern. Oracle declined a request today by SecurityWeek to respond to Koret’s comments. Still, the company released an advisory about the bug on Monday.

“Since Oracle Fusion Middleware, Oracle Enterprise Manager, Oracle E-Business Suite include the Oracle Database component that is affected by this vulnerability, Oracle recommends that customers apply the solution for this vulnerability to the Oracle Database component,” the advisory states.

Koret, who said the vulnerability affects all versions of the database from Oracle 8i to 11g R2, posted details of a number of workarounds, including setting the following parameter in the listener.ora configuration file: dynamic_registration = off. Details of the workarounds can be found here. Oracle is linking to information about workarounds on their advisory as well.

Advertisement. Scroll to continue reading.

“We strongly urge all Oracle database customers to pay very close attention to the workaround details outlined in the Oracle Security Alert for CVE-2012-1675, but also offer the advice to not be fooled by the watered down CVSS score of 7.5 that Oracle has assessed this critical vulnerability,” said Alex Rothacker, director of security research for Application Security’s TeamSHATTER research arm. “The consensus across the security research community outside of Oracle assigns this vulnerability with the highest CVSS score possible, 10.0. While this workaround clearly isn’t the answer for a critical vulnerability that was brought to Oracle’s attention in 2008, this is the best course of action for end users to take until Oracle decides it is important enough to patch.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Karl Triebes has joined Ivanti as Chief Product Officer.

Steven Hernandez has joined USAID as CISO and Deputy CIO.

Data security and privacy firm Protegrity has named Michael Howard as its CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.