Oracle has recommended workarounds for a zero-day Oracle Database flaw that was not fixed in the company's April critical patch update. The flaw in the Transport Network Substrate (TNS) Listener database component, which Oracle has known about for at least four years, could allow a hacker to break into a database without a username or password, Oracle said in a security advisory on Monday. TNS Listener manages network traffic between the database and a client.
Oracle Database administrators should use workarounds including implementing Class of Secure Transport (COST) restrictions, Oracle software security assurance director Eric Maurice said in a blog post on Monday.
The flaw may be fixed in a future version of Oracle Database, but the flaw is unlikely to be patched, Maurice said.
"In certain instances... backporting is very difficult or impossible because of the amount of code change required, or because the fix would create significant regressions, or because there is no reasonable way to automate the application of the fix (for example when user interaction is required to change configuration parameters)."
Joxean Koret, a security researcher who originally reported the vulnerability in 2008 and believed that Oracle had patched the flaw, released a proof-of-concept attack method on the Full Disclosure mailing list on Wednesday last week. On Thursday, Koret said that the 'Oracle TNS Poison' flaw was a zero-day — i.e., it has no patch.