Oracle won't patch critical hole in Database

Summary:A serious security flaw in Oracle Database 11g and 10g flagged by the company in April will not get a permanent fix as the work is too tricky, the company has said

A long-standing critical flaw in Oracle Database will not get a permanent fix because the work is not straightforward, the software company has said.

Oracle HQ
Oracle will not patch a known-about zero day in two versions of its Database product.

The flaw in the Transport Network Substrate (TNS) Listener database component, which could allow a hacker to break into a database without a username or password, affects versions of Database 11g and 10g.

In April, Oracle flagged the issue and said it might be able to rectify it, but noted the difficulties in doing this. On Tuesday, it confirmed it will not issue a fix.

"Because of the nature of this issue (amount of code change required, potential for significant regression issues, and inability to automate the application of a fix), Oracle does not plan to backport a permanent fix for this vulnerability in any upcoming Critical Patch Update," the company said in its July security bulletin.

Oracle has known about the TNS issue for at least four years. It recommended in April that Database administrators apply workarounds listed in a security advisory. A proof-of-concept attack method for the vulnerability has been made public by the security researcher who originally discovered the bug in 2008.

A spokesman for the company declined to comment on whether the security flaw will be fixed in the next release of the software, Database 12g.

Oracle's July Critical Patch Update contained 87 fixes, rather than the 88 fixes trailed in its pre-announcement .

UPDATE 11.30am BST 20 July: This story has been updated following a reader comment.

Topics: Oracle, Security

About

Tom is a technology reporter for ZDNet.com, writing about all manner of security and open-source issues.Tom had various jobs after leaving university, including working for a company that hired out computers as props for films and television, and a role turning the entire back catalogue of a publisher into e-books.Tom eventually found tha... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.