The flaw in the Transport Network Substrate (TNS) Listener database component, which could allow a hacker to break into a database without a username or password, affects versions of Database 11g and 10g.
In April, Oracle flagged the issue and said it might be able to rectify it, but noted the difficulties in doing this. On Tuesday, it confirmed it will not issue a fix.
“Because of the nature of this issue (amount of code change required, potential for significant regression issues, and inability to automate the application of a fix), Oracle does not plan to backport a permanent fix for this vulnerability in any upcoming Critical Patch Update,” the company said in its July security bulletin.
Oracle has known about the TNS issue for at least four years. It recommended in April that Database administrators apply workarounds listed in a security advisory. A proof-of-concept attack method for the vulnerability has been made public by the security researcher who originally discovered the
(Curated by Dennis Moore. Read the complete article here)