Oracle Rushes To Offer Database Vulnerability Workarounds

Four years of hurt for one researcher may finally be at an end as Oracle patches a flaw affecting its database products

Oracle has moved fast to offer workarounds for a critical vulnerability affecting its database products, four years after the company was told about the issue and after it had allegedly falsely claimed to have patched the flaw in April.

Products affected include various versions of Oracle Database 11g and Oracle Database 10g. Oracle Fusion Middleware, Enterprise Manager and the vendor’s E-Business Suite include the database component affected by the vulnerability, so Larry Ellison’s firm has advised IT teams to cover those products too.

Four-year wait appears over

“This security alert addresses the security issue CVE-2012-1675, a vulnerability in the TNS listener which has been recently disclosed as ‘TNS Listener Poison Attack’ affecting the Oracle Database Server,” Oracle said in an advisory.

“This vulnerability may be remotely exploitable without authentication, i.e. it may be exploited over a network without the need for a username and password. A remote user can exploit this vulnerability to impact the confidentiality, integrity and availability of systems that do not have recommended solution applied.”

Concerns were raised over the flaw last month, following an Oracle critical patch update that covered 88 vulnerabilities. One of the patches dealing with the TNS Listener service had stability issues, meaning the fix did not work adequately. The TNS Listener component directs connections from the client to the database server, after the client chooses the database’s instance name.

The flaw affecting the component was first disclosed to Oracle way back in 2008 by researcher Joxean Koret, who was credited in the patch update in April. Yet Koret was confused by the Oracle statement that the vulnerability “was fixed in future releases of the product” – something that did not make sense to the researcher.

Koret claimed the “zero-day” vulnerability still affected a large number of Oracle Database products. “Oracle refuses to patch the vulnerability in *any* existing version and Oracle refuses to give details about which versions will have the fix. But they say the vulnerability is fixed. Cool,” Koret wrote on Seclists.org.

Oracle has now moved to offer workarounds for the flaw, recommending users apply them as soon as possible.

Think you know security? Test yourself with our quiz!