Oracle Offers Workaround After Confusion Leads to Zero-Day Disclosure
Many software developers offer bounty programs for their products. The concept is that someone finds an vulnerability and notifies the developers of the software for a reward. The point is to dissuade hackers from using the vulnerabilities by offering them something “better”(?). Of course one would think that, after the vulnerability is turned in and the reward given, the developer would scramble to correct the issue. Oracle seems to have a different process in place.
|Oracle Offers Workaround After Confusion Leads To Zero-Day Disclosure|
The vulnerability, rated a 7.5 on the CVSS scale (0-10, 10 being severe), was found by Joxean Koret four years ago. Acting as a man-in-the-middle, the vulnerability allowed remote access to Oracle’s 10g and 11g database versions without authentication. Obviously a rather large issue. Oracle seemingly sat on this until it’s quarterly security update (2 weeks ago) where it seemingly fixed the bug, even crediting Koret in the “Security-in-Depth” program.
Assuming the vulnerability corrected, Koret published a proof of concept, detailing the methods to using the flaw. After a few follow up emails, however, it turned out that Oracle’s intention was to correct the flaw in future versions of it’s software. The now published solution can be found here.