Oracle zero-day patch should be applied with caution, warns Qualys

Oracle has released an out-of-band patch for a zero-day vulnerability, but security firm Qualys warns against rushing to apply it

Oracle has released an out-of-band patch for a zero-day vulnerability in the Oracle Database Server V10 and V11, but security company Qualys has warned against rushing to patch.

The patch addresses the CVE-2012-1675 vulnerability recently published on the full-disclosure mailing list under the name "TNS Poison" by Joxean Koret.

Joxean, who discovered the vulnerability in 2008, claims to have been under the impression the vulnerability was fixed in Oracle's April Critical Patch Update when he released his advisory.

According to Wolfgang Kandek, chief technology officer at Qualys, the vulnerability is in the TNS listener part of the Oracle database server. It allows an attacker to perform a man-in-the-middle attack by registering an additional database instance in the TNS listener.

"The listener will then start load-balancing traffic to the new instance. This allows the attacker to receive the database transactions, record them and forward them to the original database. The attacker can potentially modify the transactions and execute commands on the original database server," he said.

Oracle recommends installing the patch as soon as possible, but Kandek believes that the position of the Oracle databases that need to be patched in a network plays an important role in determining your patch roll-out.

"Production Oracle database installations typically do not expose their TNS listener to the internet or even the enterprise network. A good map of your network environment will be helpful in determining where to act first," he said.

Read more on Database software