According to security researcher Joxean Koret, Oracle has no plans to patch a critical vulnerability in its database offering, leaving users open to attacks.
"Virtually all versions of the Oracle Database Server released in the past 13 years contain a bug that allows hackers to perform man-in-the-middle attacks that monitor all data passing between the server and end users who are connected to it," writes Ars Technica's Dan Goodin. "That's what Joxean Koret, a security researcher based in Spain, told Ars. The 'Oracle TNS Poison' vulnerability, as he has dubbed it, resides in the Transparent Network Substrate Listener, which routes connections between clients and the database server. Koret said Oracle learned of the bug in 2008 and indicated in a recent e-mail that it had no plans to fix current supported versions of the enterprise product because of concerns it could cause 'regressions' in the code base."
"There is no patch at all for this vulnerability and Oracle refuses to write a patch for *ANY* existing versions, even for Oracle 11g R2," Koret wrote in a post on the Full Disclosure mailing list. "So, yes, ALL versions are vulnerable and will remain vulnerable."
"Oracle isn't exactly known for getting security right, but this is downright reckless," writes Sophos' Chester Wisniewski. "Taking four years to fix a serious vulnerability, and even then only committing that future releases, to be named, will fix it? If you are responsible for securing Oracle DBs I would highly recommend creating extremely restrictive firewall rules for the TNS Listener service, or disable it entirely if it isn't needed in your environment."