Skip to main content

Oracle Issues Security Alert For Database Flaw

Oracle has recommended workarounds for a zero-day Oracle Database flaw which wasn't fixed in last month's critical patch.

The flaw in question is a vulnerability in the TNS listener, via which a hacker could potentially fully compromise a database without needing to know a username or password.

Oracle issued a security advisory to say: "This security alert addresses the security issue CVE-2012-1675, a vulnerability in the TNS listener which has been recently disclosed as "TNS Listener Poison Attack" affecting the Oracle Database Server.

"This vulnerability may be remotely exploitable without authentication, i.e. it may be exploited over a network without the need for a username and password. A remote user can exploit this vulnerability to impact the confidentiality, integrity and availability of systems that do not have recommended solution applied."

Writing on Oracle's Software Security Assurance Blog, Eric Maurice (not a fan of full-stops, apparently) noted: "Shortly after the release of the Critical Patch Update, mistakenly assuming that the issue had been backported through the CPU, Joxean Koret, the initial reporter of this vulnerability, fully disclosed its details, initially stating that it had been fixed by Oracle, then after realizing that it had not been fixed in current releases, reported the vulnerability as a 0-day."

Oracle recommends that customers follow the technical defensive measures noted in its security alert here (opens in new tab), particularly now this issue has been highlighted.

Source: Oracle Blog (opens in new tab)

Darren Allan

Darran has over 25 years of experience in digital and magazine publishing as a writer and editor. He's also an author, having co-written a novel published by Little, Brown (Hachette UK). He currently writes news, features and buying guides for TechRadar, and occasionally other Future websites such as T3 or Creative Bloq and he's a copy editor for TechRadar Pro. Darrran has written for a large number of tech and gaming websites/magazines in the past, including Web User and ComputerActive. He has also worked at IDG Media, having been the Editor of PC Games Solutions and the Deputy Editor of PC Home.