Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Researcher misinterprets Oracle advisory, discloses unpatched database vulnerability

From: InfoSec News <alerts () infosecnews org>
Date: Mon, 30 Apr 2012 02:08:59 -0500 (CDT)
https://www.computerworld.com/s/article/9226674/Researcher_misinterprets_Oracle_advisory_discloses_unpatched_database_vulnerability

By Lucian Constantin
IDG News Service
April 27, 2012
Instructions on how to exploit an unpatched Oracle Database Server vulnerability in order to intercept the information exchanged between clients and databases were published by a security researcher who erroneously thought that the company had patched the flaw.
Oracle's April 2012 Critical Patch Update (CPU) advisory, published on April 17, credited security researcher Joxean Koret for a vulnerability he reported through cyberintelligence firm iSIGHT Partners.
In an email sent to the Full Disclosure mailing list on April 18, Koret revealed that the vulnerability is located in the Oracle TNS Listener, a component that routes connections from clients to Oracle database servers depending on which database they are trying to reach.
TNS Listener has a default feature, introduced in 1999, that allows clients to register a database service or database instance remotely without authentication, Koret said. 

[...]


_______________________________________________
LayerOne Security Conference
May 26-27, Clarion Hotel, Anaheim, CA
http://www.layerone.org
Previous By Date Next
Previous By Thread Next

Current thread: