A recently patched Oracle 12 database vulnerability, which exposed a flaw in the authentication process, allowed hackers to link a particular password hash with a session key. Oracle didn't patch the issue in version 11.1, which is the version in use at my organization. How much danger does this pose for enterprises? Do you have any tips for dealing with this vulnerability for version 11.1 users?
Ask the Expert
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
This vulnerability was identified by Application Security Inc.'s TeamSHATTER Researcher Esteban Martinez Fayo. The vulnerability, which exists in the Oracle database authentication protocol, allows an attacker to capture a hashed password so it can be cracked to gain access to the database. Oracle fixed this vulnerability by changing the authentication protocol, but decided to not backport the fix and protocol update to earlier versions. This is fairly common when a fix makes major changes to a protocol, because the fix could break backward compatibility. As mentioned in its patch announcement, Oracle, like any major software vendor, has a technical support lifecycle, where older versions cease to receive support so that they can focus their resources on newer products. Even after applying the update, database administrators (DBAs) still need to change the authentication protocol version in use, because the vulnerable protocol is set as the default.
The first step to protecting the Oracle database authentication process from this vulnerability is to not directly place a database on the internet or allow direct external access to any database, thereby limiting where an attack can originate. DBAs should also stay as close to the most recent database version as possible, because that is where most of the database provider's resources are devoted. There are database firewalls that could protect against attacks trying to lower the protocol to a vulnerable version, but the vulnerability is part of a core component of the authentication protocol, so stopping an attack may be difficult. DBAs could also change the database to use external authentication to prevent the vulnerable protocol from being used. Another option could be for enterprises to require VPN connections to their Oracle databases when client systems are on networks where their network traffic might be captured. The VPN would prevent an attacker from capturing the password hash.
Dig deeper on Database Security Management
Related Q&A from Nick Lewis, Enterprise Threats
A new variant of Java-based malware can execute regardless of the operating system used. Nick Lewis explains how to limit the threat.continue reading
A variant of malware on Android devices removes and reinstalls itself when a device powers on or off. Learn how to completely eradicate the threat.continue reading
Expert Nick Lewis explains how to avoid a detrimental VPN bypass flaw that allows malicious apps to infiltrate Android devices.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.