Oracle scrambles to contain 0-day disclosure snafu


Ryan Naraine

Oracle is scrambling to contain the damage from a vulnerability disclosure hiccup that led to the release of a dangerous zero-day flaw in its flagship Database Server product.

The vulnerability, disclosed by researcher Joxean Koret after he mistakenly thought it had been fixed by Oracle, allows an attacker to hijack the information exchanged between clients and databases.

Koret originally reported the vulnerability to Oracle in 2008 (four years ago!) and said he was surprised to see it had been fixed in Oracle's most recent Critical Patch Update without any acknowledgment of his work.

He went ahead and published technicals of the TNS Listener Poison Attack to urge database administrators to apply the patch but, alas, the issue is still unpatched.

main page ATTRITION feedback