Oracle has
recommended workarounds for a zero-day Oracle Database flaw that was not
fixed in the company's April critical patch update. Oracle issued a security alert
for Oracle TNS Poison, the vulnerability, disclosed by researcher
Joxean Koret after he mistakenly thought it had been fixed by Oracle,
allows an attacker to hijack the information exchanged between clients
and databases.
Koret originally reported the
vulnerability to Oracle in 2008, four years ago! and said he was
surprised to see it had been fixed in Oracle’s most recent Critical
Patch Update without any acknowledgment of his work.
”This
vulnerability is remotely exploitable without authentication, and if
successfully exploited, can result in a full compromise of the targeted
Database,” the company warned.
“This
security alert addresses the security issue CVE-2012-1675, a
vulnerability in the TNS listener which has been recently disclosed as
'TNS Listener Poison Attack' affecting the Oracle Database Server. This
vulnerability may be remotely exploitable without authentication, i.e.,
it may be exploited over a network without the need for a username and
password. A remote user can exploit this vulnerability to impact the
confidentiality, integrity and availability of systems that do not have
recommended solution applied”, Oracle wrote.
A TNS Listener feature known as
remote registration dates back to at least 1999 with version 8i of the
Oracle Database. By sending a simple query to the service, an attacker
can hijack connections legitimate users have already established with
the database without the need of a password or other authentication.
From then on, data traveling between legitimate users and the server
pass through the connection set up by the attacker.
Oracle released a critical update for versions 10g and 11g database products fixing this vulnerability.
0 comments:
Post a Comment