Oracle scrambles workarounds for database zero-day

Oracle scrambles workarounds for database zero-day

Summary: Oracle has recommended workarounds for a zero-day Oracle Database flaw that was not fixed in the company's April critical patch update.The flaw in the Transport Network Substrate (TNS) Listener database component, which Oracle has known about for at least four years, could allow a hacker to break into a database without a username or password, Oracle said in a security advisory on Monday.

SHARE:
TOPICS: Security
0

Oracle has recommended workarounds for a zero-day Oracle Database flaw that was not fixed in the company's April critical patch update.

The flaw in the Transport Network Substrate (TNS) Listener database component, which Oracle has known about for at least four years, could allow a hacker to break into a database without a username or password, Oracle said in a security advisory on Monday. TNS Listener manages network traffic between the database and a client.

Oracle Database administrators should use workarounds including implementing Class of Secure Transport (COST) restrictions, Oracle software security assurance director Eric Maurice said in a blog post on Monday.

The flaw may be fixed in a future version of Oracle Database, but the flaw is unlikely to be patched, Maurice said.

"In certain instances... backporting is very difficult or impossible because of the amount of code change required, or because the fix would create significant regressions, or because there is no reasonable way to automate the application of the fix (for example when user interaction is required to change configuration parameters)."

Joxean Koret, a security researcher who originally reported the vulnerability in 2008 and believed that Oracle had patched the flaw, released a proof-of-concept attack method on the Full Disclosure mailing list on Wednesday last week. On Thursday, Koret said that the 'Oracle TNS Poison' flaw was a zero-day — i.e., it has no patch.

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for ZDNet.com. He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

0 comments
Log in or register to start the discussion