A recently patched Oracle 12 database vulnerability, which exposed a flaw in the authentication process, allowed...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
hackers to link a particular password hash with a session key. Oracle didn't patch the issue in version 11.1, which is the version in use at my organization. How much danger does this pose for enterprises? Do you have any tips for dealing with this vulnerability for version 11.1 users?
Ask the Expert
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
This vulnerability was identified by Application Security Inc.'s TeamSHATTER Researcher Esteban Martinez Fayo. The vulnerability, which exists in the Oracle database authentication protocol, allows an attacker to capture a hashed password so it can be cracked to gain access to the database. Oracle fixed this vulnerability by changing the authentication protocol, but decided to not backport the fix and protocol update to earlier versions. This is fairly common when a fix makes major changes to a protocol, because the fix could break backward compatibility. As mentioned in its patch announcement, Oracle, like any major software vendor, has a technical support lifecycle, where older versions cease to receive support so that they can focus their resources on newer products. Even after applying the update, database administrators (DBAs) still need to change the authentication protocol version in use, because the vulnerable protocol is set as the default.
The first step to protecting the Oracle database authentication process from this vulnerability is to not directly place a database on the internet or allow direct external access to any database, thereby limiting where an attack can originate. DBAs should also stay as close to the most recent database version as possible, because that is where most of the database provider's resources are devoted. There are database firewalls that could protect against attacks trying to lower the protocol to a vulnerable version, but the vulnerability is part of a core component of the authentication protocol, so stopping an attack may be difficult. DBAs could also change the database to use external authentication to prevent the vulnerable protocol from being used. Another option could be for enterprises to require VPN connections to their Oracle databases when client systems are on networks where their network traffic might be captured. The VPN would prevent an attacker from capturing the password hash.
Dig Deeper on Database Security Management
Related Q&A from Nick Lewis
An HTTPS session with a reused nonce is vulnerable to the Forbidden attack. Expert Nick Lewis explains how the attack works, and how to properly ...continue reading
The Irongate malware has been discovered to have similar functionality to Stuxnet. Expert Nick Lewis explains how enterprises can protect their ICS ...continue reading
APT groups have been continuously exploiting a flaw in Microsoft Office, despite it having been patched. Expert Nick Lewis explains how these attacks...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.