No patch for critical Oracle database vulnerability
Oracle has decided not to fix a critical vulnerability in its 10g and 11g databases. Instead, users are expected to make do with a previously described workaround. Due to the "nature of this issue", the company says that it has no plans to put together a fix for currently supported versions of the database software.
According to Oracle, a large amount of code would need to be changed and there would be a significant risk of potential regressions. They also cite the inability to automate the installation of a patch for the problem. Oracle's customers are therefore left with only one option – to use the workaround, which essentially consists of securing cluster administration using "Class of Secure Transport" (COST). The company does not plan to fix the vulnerability before the release of version 12.
The database server is vulnerable to an attack known as TNS listener poisoning, in which an attacker is able to eavesdrop on database communication via an injected cluster node. Details of the attack were first published in April as the result of a mix-up in communication between Oracle and the discoverer of the vulnerability. He originally informed Oracle of the problem more than four years ago, since then Oracle has released a new major version in which it simply ignored the problem.