On Monday, Oracle issued a security alert for Oracle TNS Poison, a zero day that affects all database versions and that was identified by Koret and reported to the company in 2008.
Last week, Koret wrote in a blog that the vulnerability had not been patched despite Oracle’s claim to have plugged it in its quarterly security update issued early last month. Ironically, Oracle recognized Koret for contributing to the fix for the TNS flaw in the update.
However, Koret told Oracle to keep the recognition and fix the flaw. “This is a zero-day vulnerability with no patch, Oracle refuses to give details about which versions will have the fix. But they say the vulnerability is fixed. Cool.”
In response, Oracle ate crow and issued a security alert.
“This security alert addresses the security issue CVE-2012-1675, a vulnerability in the TNS listener which has been recently disclosed as 'TNS Listener Poison Attack' affecting the Oracle Database Server. This vulnerability may be remotely exploitable without authentication, i.e., it may be exploited over a network without the need for a username and password. A remote user can exploit this vulnerability to impact the confidentiality, integrity and availability of systems that do not have recommended solution applied”, Oracle wrote.
Despite neglecting the vulnerability for four years, Oracle cautioned users: "Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply this security alert solution as soon as possible."