Oracle experiences major security gaffe

Published: Tuesday, May 1, 2012

Oracle database users could be at significant risk, as a security expert who found a major zero-day vulnerability in the company's software inadvertently released details about the exploitable flaw before Oracle had actually fixed it, InfoWorld reported.

Researcher Joxean Koret identified the vulnerability, and when he saw his name listed as contributors to the April 2012 Critical Patch Update from Oracle, assumed that the issue was taken care of, since the company had told him the fix would be included in a future update. In response, Koret wrote an email to a full disclosure list detailing the vulnerability and at least one possible way that it could be exploited. Shortly thereafter, Oracle revealed that the April patch did not actually fix that vulnerability, creating a scenario where countless hackers may now know about the major security flaw that exists within Oracle database software, InfoWorld explained.

According to the news source, the email from Korel details how the vulnerability functions. There is a bit of code in the TNS Listener, a utility within Oracle databases, that allows users to establish a database instance from a remote location, without authentication. If the new database instance is filed with the same name as an already existing system, then the TNS system will move the original DB to a secondary file location, making the new client primary. From there, the TNS Listener providers automatic load balancing between the two DB instances, while giving the remote user access to information in the secondary database client. In this way, a hacker could develop a proxy server instance to steal all of the data sent between the two systems.

In the email, Korel explained that this form of exploitation is not the only way hackers can exploit the vulnerability to steal data, the report said.

Because Oracle traditionally lists the person who found the vulnerability as a contributor to a patch, Korel assumed the issue was fixed before he sent out the disclosure email. Oracle then revealed that the patch including the necessary fix is still in development because it is an especially complex problem to resolve and needed to wait until the next patch release to be dealt with, Korel explained in a second full disclosure email.

This incident furthers the argument for open source database software. Vulnerabilities like this exist in almost any software, as having source code that is so perfect as to be impervious to sophisticated attacks is nearly impossible. However, Oracle's response to the scenario is the problem. With open source software, there is an entire development community working to solve any vulnerabilities that are found, and updates are not necessarily kept on a rigid schedule. At the same time, many businesses customize their open source database so much that a vulnerability is sometimes dealt with inadvertently. Essentially, the customization opportunities and flexibility offered by open source solutions make it much more difficult for a security error of this magnitude to happen.

Furthermore, an open source solution is often less likely to be targeted in such attacks, as hackers often veer away from developing malware to target open source software. In some cases, the lack of attacks focused on open source systems comes because fewer people tend to use an open source solution, however, it is also important to realize that as open source software is often customized in a diverse range of ways, it can be more difficult to engineer attacks. With proprietary software, on the other hand, an attack that works with one instance of the solution will likely work on most others.