A recently patched Oracle 12 database vulnerability, which exposed a flaw in the authentication process, allowed...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
hackers to link a particular password hash with a session key. Oracle didn't patch the issue in version 11.1, which is the version in use at my organization. How much danger does this pose for enterprises? Do you have any tips for dealing with this vulnerability for version 11.1 users?
Ask the Expert
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
This vulnerability was identified by Application Security Inc.'s TeamSHATTER Researcher Esteban Martinez Fayo. The vulnerability, which exists in the Oracle database authentication protocol, allows an attacker to capture a hashed password so it can be cracked to gain access to the database. Oracle fixed this vulnerability by changing the authentication protocol, but decided to not backport the fix and protocol update to earlier versions. This is fairly common when a fix makes major changes to a protocol, because the fix could break backward compatibility. As mentioned in its patch announcement, Oracle, like any major software vendor, has a technical support lifecycle, where older versions cease to receive support so that they can focus their resources on newer products. Even after applying the update, database administrators (DBAs) still need to change the authentication protocol version in use, because the vulnerable protocol is set as the default.
The first step to protecting the Oracle database authentication process from this vulnerability is to not directly place a database on the internet or allow direct external access to any database, thereby limiting where an attack can originate. DBAs should also stay as close to the most recent database version as possible, because that is where most of the database provider's resources are devoted. There are database firewalls that could protect against attacks trying to lower the protocol to a vulnerable version, but the vulnerability is part of a core component of the authentication protocol, so stopping an attack may be difficult. DBAs could also change the database to use external authentication to prevent the vulnerable protocol from being used. Another option could be for enterprises to require VPN connections to their Oracle databases when client systems are on networks where their network traffic might be captured. The VPN would prevent an attacker from capturing the password hash.
Dig Deeper on Database Security Management-Enterprise Data Protection
Related Q&A from Nick Lewis
Can Structured Threat Information eXpression improve threat intelligence sharing? Nick Lewis breaks down the evolution of the STIX security framework.continue reading
A new type of WordPress malware, WP-Base-SEO, disguises itself as an SEO plug-in that opens backdoors. Nick Lewis explains how it works and how to ...continue reading
A new exploit of CLDAP servers can be used for a DDoS reflection attack that gives attackers a 70x boost. Nick Lewis explains how to defend against ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.