Oracle warned in a security advisory that the vulnerability might be “remotely exploitable without authentication”, which means it might be exploited over a network without the need for username or password. Hash collisions occur when two distinct pieces of data have the same hash value.
The company noted that a fix for the same vulnerability in the GlassFish Server was released in its quarterly patch update last month. In that update, Oracle shipped 78 patches across the full range of its products, including two fixes to its Database Server.
Oracle has come under fire for its Database patching process. Following the January patch update, Alex Rothacker with TeamSHATTER and Amichai Shulman, chief technology officer with Imperva, both criticized the company for only patching two Database vulnerabilities.
“Oracle, what happened? Did you throw in the towel on DBMS fixes? I know it’s not because the Database is finally fixed for good and is now suddenly secure”, Rothacker quipped.
“There are only two vulnerabilities in the database product. Why? Either the database server has reached an amazing maturity in terms of security or Oracle did not have enough resources to include more fixes into the process”, Shulman lamented.