Oracle has moved fast to offer workarounds for a critical vulnerability affecting its database products, four years after the company was told about the issue and after it had allegedly falsely claimed to have patched the flaw in April.
Products affected include various versions of Oracle Database 11g and Oracle Database 10g. Oracle Fusion Middleware, Enterprise Manager and the vendor’s E-Business Suite include the database component affected by the vulnerability, so Larry Ellison’s firm has advised IT teams to cover those products too.
“This vulnerability may be remotely exploitable without authentication, i.e. it may be exploited over a network without the need for a username and password. A remote user can exploit this vulnerability to impact the confidentiality, integrity and availability of systems that do not have recommended solution applied.”
Concerns were raised over the flaw last month, following an Oracle critical patch update that covered 88 vulnerabilities. One of the patches dealing with the TNS Listener service had stability issues, meaning the fix did not work adequately. The TNS Listener component directs connections from the client to the database server, after the client chooses the database’s instance name.
The flaw affecting the component was first disclosed to Oracle way back in 2008 by researcher Joxean Koret, who was credited in the patch update in April. Yet Koret was confused by the Oracle statement that the vulnerability “was fixed in future releases of the product” – something that did not make sense to the researcher.
Koret claimed the “zero-day” vulnerability still affected a large number of Oracle Database products. “Oracle refuses to patch the vulnerability in *any* existing version and Oracle refuses to give details about which versions will have the fix. But they say the vulnerability is fixed. Cool,” Koret wrote on Seclists.org.
Oracle has now moved to offer workarounds for the flaw, recommending users apply them as soon as possible.
Think you know security? Test yourself with our quiz!
Thoma Bravo agrees to acquire Darktrace for $5.32 billion in cash, delivering some welcome news…
Customer adoption of AI services embedded in cloud services continues to deliver results for Microsoft,…
TikTok's 'secret source' algorithm is so core to ByteDance, it would rather shut down US…
After relocating from California to Texas in 2020, Oracle's Larry Ellison now reveals plan to…
Share price hit after Meta admits heavy AI spending plans, after posting strong first quarter…
For third time Google delays phase-out of third-party Chrome cookies after pushback from industry and…