[ISN] Researcher misinterprets Oracle advisory, discloses unpatched database vulnerability

From: InfoSec News <alerts_at_private>
Date: Mon, 30 Apr 2012 02:08:59 -0500 (CDT)
https://www.computerworld.com/s/article/9226674/Researcher_misinterprets_Oracle_advisory_discloses_unpatched_database_vulnerability

By Lucian Constantin
IDG News Service
April 27, 2012

Instructions on how to exploit an unpatched Oracle Database Server 
vulnerability in order to intercept the information exchanged between 
clients and databases were published by a security researcher who 
erroneously thought that the company had patched the flaw.

Oracle's April 2012 Critical Patch Update (CPU) advisory, published on 
April 17, credited security researcher Joxean Koret for a vulnerability 
he reported through cyberintelligence firm iSIGHT Partners.

In an email sent to the Full Disclosure mailing list on April 18, Koret 
revealed that the vulnerability is located in the Oracle TNS Listener, a 
component that routes connections from clients to Oracle database 
servers depending on which database they are trying to reach.

TNS Listener has a default feature, introduced in 1999, that allows 
clients to register a database service or database instance remotely 
without authentication, Koret said.

[...]


_______________________________________________
LayerOne Security Conference
May 26-27, Clarion Hotel, Anaheim, CA
http://www.layerone.org
Received on Mon Apr 30 2012 - 00:08:59 PDT

This archive was generated by hypermail 2.2.0 : Mon Apr 30 2012 - 00:08:01 PDT