Koret termed the vulnerability Oracle TNS Poison, a zero day that affects all database versions. “There is no patch at all for this vulnerability and Oracle refuses to write a patch for ‘any’ existing versions, even for Oracle 11g R2”, he wrote in a blog.
Although Oracle announced in its quarterly security update issued earlier this month that the flaw was fixed, Koret said that the patch was only for future database releases.
After an email exchange with Oracle that proved uninformative, Koret wrote: “This is a zero-day vulnerability with no patch, Oracle refuses to give details about which versions will have the fix. But they say the vulnerability is fixed. Cool.”
Alex Rothacker, director of security research at Application Security's Team SHATTER, told Kaspersky Lab’s Threatpost that the vulnerability enables an attacker to intercept traffic between the client and the Oracle database.
“It’s classic ‘man in the middle’. The attacker can now read all the data that is exchanged between the client and the server. The attacker can also hijack the connection and inject arbitrary commands or queries and execute them with the privileges of the authenticated user; in short if the attacker intercepts a DBA connection, it’s game over and the attacker owns the database", Rothacker explained.