Oracle won't patch critical hole in Database

A serious security flaw in Oracle Database 11g and 10g flagged by the company in April will not get a permanent fix as the work is too tricky, the company has said
Written by Tom Espiner, Contributor

A long-standing critical flaw in Oracle Database will not get a permanent fix because the work is not straightforward, the software company has said.

Oracle HQ
Oracle will not patch a known-about zero day in two versions of its Database product.

The flaw in the Transport Network Substrate (TNS) Listener database component, which could allow a hacker to break into a database without a username or password, affects versions of Database 11g and 10g.

In April, Oracle flagged the issue and said it might be able to rectify it, but noted the difficulties in doing this. On Tuesday, it confirmed it will not issue a fix.

"Because of the nature of this issue (amount of code change required, potential for significant regression issues, and inability to automate the application of a fix), Oracle does not plan to backport a permanent fix for this vulnerability in any upcoming Critical Patch Update," the company said in its July security bulletin.

Oracle has known about the TNS issue for at least four years. It recommended in April that Database administrators apply workarounds listed in a security advisory. A proof-of-concept attack method for the vulnerability has been made public by the security researcher who originally discovered the bug in 2008.

A spokesman for the company declined to comment on whether the security flaw will be fixed in the next release of the software, Database 12g.

Oracle's July Critical Patch Update contained 87 fixes, rather than the 88 fixes trailed in its pre-announcement.

UPDATE 11.30am BST 20 July: This story has been updated following a reader comment.

Editorial standards