Oracle won't patch critical hole in Database

Oracle won't patch critical hole in Database

Summary: A serious security flaw in Oracle Database 11g and 10g flagged by the company in April will not get a permanent fix as the work is too tricky, the company has said

SHARE:
TOPICS: Oracle, Security
7

A long-standing critical flaw in Oracle Database will not get a permanent fix because the work is not straightforward, the software company has said.

Oracle HQ
Oracle will not patch a known-about zero day in two versions of its Database product.

The flaw in the Transport Network Substrate (TNS) Listener database component, which could allow a hacker to break into a database without a username or password, affects versions of Database 11g and 10g.

In April, Oracle flagged the issue and said it might be able to rectify it, but noted the difficulties in doing this. On Tuesday, it confirmed it will not issue a fix.

"Because of the nature of this issue (amount of code change required, potential for significant regression issues, and inability to automate the application of a fix), Oracle does not plan to backport a permanent fix for this vulnerability in any upcoming Critical Patch Update," the company said in its July security bulletin.

Oracle has known about the TNS issue for at least four years. It recommended in April that Database administrators apply workarounds listed in a security advisory. A proof-of-concept attack method for the vulnerability has been made public by the security researcher who originally discovered the bug in 2008.

A spokesman for the company declined to comment on whether the security flaw will be fixed in the next release of the software, Database 12g.

Oracle's July Critical Patch Update contained 87 fixes, rather than the 88 fixes trailed in its pre-announcement.

UPDATE 11.30am BST 20 July: This story has been updated following a reader comment.

Topics: Oracle, Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for ZDNet.com. He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

7 comments
Log in or register to join the discussion
  • Enterprise software with hole?

    Especially permanent ones?
    kd5auq
  • Translation....

    We are not going to fix this so we can sell you a new version of our database.
    linux for me
  • It may sound strange but it's ok.

    There was too much hype about this flaw coming from people that doesn't have anything in common with oracle software. That "vulnerability" is rather just typical old school lack of any special security in communication between database and listener. This is well known to anyone working with oracle since ages and since ages everyone uses network level to enforce this security. Problem is virtual. I've seen thousands of oracle databases and haven't ever seen such thing not secured. Maybe in some completely unimportant dev environments - but even if so, it wasn't the biggest problem there. If someone has environment that would allow to use this vulnerability from user side, not even talking about internet, it means that he has very general problems with everything in his IT environment, not only with that.

    Of course the fact that they want to sell everyone new version, especially on their pet hardware is another side of this story.
    Mr Wrong
    • It may sound strange, but you didn't understand the vulnerability

      There wasn't to much hype: there was too low, in my opinion. Look, this is an unauthenticated vulnerability that was introduced back 13 years ago and affects all versions since 8i. It allows to MITM any connection between clients and TNS Listener. It doesn't matter if you're using SSL or the like: the fake TNS Listener can answer that it supports no cipher (or choose between already broken ciphers). I have seen thousand of Oracle databases and, to be honest, except those installed by me where I silently 'workarounded' the vulnerability, all of them were vulnerable.

      BTW, I'm the guy who found that vulnerability.
      matalaz
      • Truth in advertising, at least...

        Note that the OP you're responding to did post as Mr. Wrong.
        ibsteve2u
  • This is a work around for this to help protect against this vulnerability

    Oracle has released work arounds which can be found at My Oracle Support Note 1340831.1 and My Oracle Support Note 1453883.1.
    lipanitech
  • It sounds shocking, but what databases are truly secure?

    It would be a brave company who would access their databases over a non-vpn public connection. Who can guarantee that any other Database's login is unhackable?
    pratensis