Critical Unpatched Oracle Vulnerability - SANS Internet Storm Center

Critical Unpatched Oracle Vulnerability
Oracles April "Critical Patch Update" listed a vulnerability in the TNS Listener services as one of the patched vulnerabilities. Sadly, it turns out that current versions of Oracle are not patched. Instead, the vulnerability will apparently only be fixed in future versions of the Oracle database. According to a statement from Oracle quoted by the discoverer of the vulnerability, the fix would have possible had stability issues for current versions of Oracle. [1] The vulnerability was responsibly reported to Oracle back in 2008. Upon release of the April CPU, Joxean Koret, who originally found the vulnerability, came forward with additional details including a proof of concept exploit, fully expecting that a patch is now available. So in short: We got an unpatched remote code execution vulnerability in all current versions of Oracle with proof of concept exploit code. Joxean's details published after the CPU release also include some useful workarounds [2]. Please refer to the post for details. [1] http://seclists.org/fulldisclosure/2012/Apr/343 [2] http://seclists.org/fulldisclosure/2012/Apr/204 ------ Johannes B. Ullrich, Ph.D. SANS Technology Institute Twitter I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS London June 2022	Johannes 4479 Posts ISC Handler Apr 27th 2012
Thread locked Subscribe	Apr 27th 2012 1 decade ago
"So in short: We got an unpatched remote code execution vulnerability in all current versions of Oracle with proof of concept exploit code." ---and no hope for a patch. Hey Oracle, learn from others: Throwing your customers under the bus is not a good thing. Make this happen. Your competition is watching...	Gilbert 21 Posts
Quote	Apr 28th 2012 1 decade ago
And magically there's a patch today... ================================== April 30th, 2012 Oracle Security Alert for CVE-2012-1675 Dear Oracle Customer, Oracle Security Alert for CVE-2012-1675 was released on April 30th, 2012. This security alert addresses the recently publicly disclosed "Oracle TNS Listener Poison Attack" affecting Oracle Database Server. Oracle strongly recommends applying Security Alert fixes as soon as possible. The Security Alert Advisory is the starting point for relevant information. It includes the list of products affected, a summary of the security vulnerability, and a pointer to obtain the latest patches. Supported products that are not listed in the "Affected Products and Versions" section of the advisory do not require new patches to be applied. Also, it is essential to review the Security Alert supporting documentation referenced in the Advisory before applying patches, as this is where you can find important pertinent information. The Advisory is available at the following location: Oracle Critical Patch Updates and Security Alerts: http://www.oracle.com/technetwork/topics/security/alerts-086861.html Oracle Security Alert CVE-2012-1675: http://www.oracle.com/technetwork/topics/security/alert-cve-2012-1675-1608180.html Thank you, Customer Support of Oracle Corporation	Anonymous
Quote	Apr 30th 2012 1 decade ago

Oracles April "Critical Patch Update" listed a vulnerability in the TNS Listener services as one of the patched vulnerabilities. Sadly, it turns out that current versions of Oracle are not patched. Instead, the vulnerability will apparently only be fixed in future versions of the Oracle database. According to a statement from Oracle quoted by the discoverer of the vulnerability, the fix would have possible had stability issues for current versions of Oracle. [1]

The vulnerability was responsibly reported to Oracle back in 2008. Upon release of the April CPU, Joxean Koret, who originally found the vulnerability, came forward with additional details including a proof of concept exploit, fully expecting that a patch is now available.

So in short: We got an unpatched remote code execution vulnerability in all current versions of Oracle with proof of concept exploit code.

Joxean's details published after the CPU release also include some useful workarounds [2]. Please refer to the post for details.

[1] http://seclists.org/fulldisclosure/2012/Apr/343
[2] http://seclists.org/fulldisclosure/2012/Apr/204

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS London June 2022

Johannes

4479 Posts
ISC Handler

Apr 27th 2012

"So in short: We got an unpatched remote code execution vulnerability in all current versions of Oracle with proof of concept exploit code."

---and no hope for a patch. Hey Oracle, learn from others: Throwing your customers under the bus is not a good thing. Make this happen. Your competition is watching...

Gilbert

21 Posts

And magically there's a patch today...

==================================
April 30th, 2012
Oracle Security Alert for CVE-2012-1675

Dear Oracle Customer,

Oracle Security Alert for CVE-2012-1675 was released on April 30th, 2012.

This security alert addresses the recently publicly disclosed "Oracle TNS Listener Poison Attack" affecting Oracle Database Server.

Oracle strongly recommends applying Security Alert fixes as soon as possible.

The Security Alert Advisory is the starting point for relevant information. It includes the list of products affected, a summary of the security vulnerability, and a pointer to obtain the latest patches. Supported products that are not listed in the "Affected Products and Versions" section of the advisory do not require new patches to be applied.

Also, it is essential to review the Security Alert supporting documentation referenced in the Advisory before applying patches, as this is where you can find important pertinent information.

The Advisory is available at the following location:

Oracle Critical Patch Updates and Security Alerts:
http://www.oracle.com/technetwork/topics/security/alerts-086861.html

Oracle Security Alert CVE-2012-1675:
http://www.oracle.com/technetwork/topics/security/alert-cve-2012-1675-1608180.html

Thank you,
Customer Support of Oracle Corporation

Anonymous