Oracle Issues Security Alert For Database Flaw

Oracle has recommended workarounds for a zero-day Oracle Database flaw which wasn't fixed in last month's critical patch.

The flaw in question is a vulnerability in the TNS listener, via which a hacker could potentially fully compromise a database without needing to know a username or password.

Oracle issued a security advisory to say: "This security alert addresses the security issue CVE-2012-1675, a vulnerability in the TNS listener which has been recently disclosed as "TNS Listener Poison Attack" affecting the Oracle Database Server.

"This vulnerability may be remotely exploitable without authentication, i.e. it may be exploited over a network without the need for a username and password. A remote user can exploit this vulnerability to impact the confidentiality, integrity and availability of systems that do not have recommended solution applied."

Writing on Oracle's Software Security Assurance Blog, Eric Maurice (not a fan of full-stops, apparently) noted: "Shortly after the release of the Critical Patch Update, mistakenly assuming that the issue had been backported through the CPU, Joxean Koret, the initial reporter of this vulnerability, fully disclosed its details, initially stating that it had been fixed by Oracle, then after realizing that it had not been fixed in current releases, reported the vulnerability as a 0-day."

Oracle recommends that customers follow the technical defensive measures noted in its security alert here, particularly now this issue has been highlighted.

Source: Oracle Blog