Oracle has declined to patch a critical vulnerability in its flagship database product, leaving customers vulnerable to attacks that siphon confidential information from corporate servers and execute malware on backend systems, a security researcher said.
Virtually all versions of the Oracle Database Server released in the past 13 years contain a bug that allows hackers to perform man-in-the-middle attacks that monitor all data passing between the server and end users who are connected to it. That's what Joxean Koret, a security researcher based in Spain, told Ars. The "Oracle TNS Poison" vulnerability, as he has dubbed it, resides in the Transparent Network Substrate Listener, which routes connections between clients and the database server. Koret said Oracle learned of the bug in 2008 and indicated in a recent e-mail that it had no plans to fix current supported versions of the enterprise product because of concerns it could cause "regressions" in the code base.
- Ars Technica
- Associated Press
- backend systems
- Bloomberg
- business
- Cross-platform software
- Dan Goodin
- database
- database product
- database server
- Eric Maurice
- Exploit
- Internet-wide configurations
- iPhone
- Joxean Koret
- Load Balancing
- malware
- Microsoft
- Ministry of Innovation
- News
- operating system
- operating systems
- oracle
- Oracle
- Oracle Advanced Security
- Oracle Corporation
- Oracle Database
- Oracle Forms
- Oracle RAC
- Patch
- private network
- Security
- setting up load balancing
- smartphone
- Software testing
- Spain
- Technology
- Unix
- Vulnerability
- Zero day attack
