Oracle scrambles workarounds for database zero-day

Summary:Oracle has recommended workarounds for a zero-day Oracle Database flaw that was not fixed in the company's April critical patch update.The flaw in the Transport Network Substrate (TNS) Listener database component, which Oracle has known about for at least four years, could allow a hacker to break into a database without a username or password, Oracle said in a security advisory on Monday.

Oracle has recommended workarounds for a zero-day Oracle Database flaw that was not fixed in the company's April critical patch update. The flaw in the Transport Network Substrate (TNS) Listener database component, which Oracle has known about for at least four years, could allow a hacker to break into a database without a username or password, Oracle said in a security advisory on Monday. TNS Listener manages network traffic between the database and a client.

Oracle Database administrators should use workarounds including implementing Class of Secure Transport (COST) restrictions, Oracle software security assurance director Eric Maurice said in a blog post on Monday.

The flaw may be fixed in a future version of Oracle Database, but the flaw is unlikely to be patched, Maurice said.

"In certain instances... backporting is very difficult or impossible because of the amount of code change required, or because the fix would create significant regressions, or because there is no reasonable way to automate the application of the fix (for example when user interaction is required to change configuration parameters)."

Joxean Koret, a security researcher who originally reported the vulnerability in 2008 and believed that Oracle had patched the flaw, released a proof-of-concept attack method on the Full Disclosure mailing list on Wednesday last week. On Thursday, Koret said that the 'Oracle TNS Poison' flaw was a zero-day — i.e., it has no patch.

Topics: Security

About

Tom is a technology reporter for ZDNet.com, writing about all manner of security and open-source issues.Tom had various jobs after leaving university, including working for a company that hired out computers as props for films and television, and a role turning the entire back catalogue of a publisher into e-books.Tom eventually found tha... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.