A vulnerability in current Oracle databases made the software giant issue a new advisory and offer SSL support to particular customers for free. This vulnerability allows an attacker to listen in on database queries and has no appropriate patches.
An Oracle blog post provides the background to why the company issued the new advisory, Oracle Security Alert for CVE-2012-1675 and directs customers to two support notes, one for customers without Oracle Real Application Clusters and one for those with Oracle RAC.
For those without RAC, Oracle recommends limiting registration of new listeners to the local node and IPC protocols. For those with RAC or Exadata, the problem is slightly more complex and the use of COST in those situations also means the use of SSL/TLS Encryption. The issue was SSL/TLS encryption sold at extra cost as Oracle Advanced Security. But now Oracle has updated its licensing so customers can use the SSL/TLS mechanisms to protect themselves against the vulnerability.
With the change in licensing and the availability of an effective workaround, it is unlikely Oracle will be producing a patch for its databases in the near future. Oracle is, however, emphatic that users should fix the problem, adding at the end of the security alert: “Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply this Security Alert solution as soon as possible.”
The advisory says the problem affects Oracle Database 11gR2 22.214.171.124 and 126.96.36.199, 11gR1 188.8.131.52, and 10g 10.2.0.3, 10.2.0.4 and 10.2.0.5. Users of Oracle Fusion Middleware, Enterprise Manager or E-Business Suite should also take note of the issue as these products include the vulnerable Oracle Database software.