Oracle scrambles to contain 0-day disclosure snafu

Oracle rushes out a security advisory with workarounds for a dangerous Database Server security flaw that dates back to 2008.
Written by Ryan Naraine, Contributor

Oracle is scrambling to contain the damage from a vulnerability disclosure hiccup that led to the release of a dangerous zero-day flaw in its flagship Database Server product.

The vulnerability, disclosed by researcher Joxean Koret after he mistakenly thought it had been fixed by Oracle, allows an attacker to hijack the information exchanged between clients and databases.

Koret originally reported the vulnerability to Oracle in 2008 (four years ago!) and said he was surprised to see it had been fixed in Oracle's most recent Critical Patch Update without any acknowledgment of his work.

He went ahead and published technicals of the TNS Listener Poison Attack to urge database administrators to apply the patch but, alas, the issue is still unpatched.

Oracle then rushed out a security alert that confirms the severity of the flaw.  "This vulnerability is remotely exploitable without authentication, and if successfully exploited, can result in a full compromise of the targeted Database," the company warned.

According to Alex Rothacker at Application Security Inc., there are a few things to keep in mind:The advisory contains a number of technical measures to provide effective defense against this vulnerability in all deployment scenarios.

  • Oracle's security advisory does NOT contain a patch. It is a detailed level step-by-step set of instructions for the workaround (Koret already published the workaround information last week).
  • Oracle had to change its licensing model overnight to actually allow customers to gain access to this workaround, which was previously the “Advanced Security” paid premium feature.
  • Oracle knew about this vulnerability for FOUR years and still has yet to fix it…and the only reason they are addressing this major vulnerability at all is because of the actions of Koret (despite his attempts to get them to fix this). It appears evident that they had no plans to do anything until this action. How many other major vulnerabilities exist that aren't being taken care of? You can bet this isn't the only one.
  • Oracle continues to water down CVSS scores and has this critical vulnerability listed as a 7.5, whereas non-Oracle security researchers are listing this as the highest CVSS score possible, 10.0.

Editorial standards