During its latest patch day, Oracle said that a critical hole in the Oracle database had been fixed. The discoverer of the hole, responding to this, went ahead and published the vulnerability details. Although the vulnerability affects almost all Oracle installations in production use, however, there isn’t actually a patch for these versions. Oracle database administrators themselves should therefore take immediate action to protect their systems.
Oracle credited Joxean Koret at the bottom of its Critical Patch Updates for April(CPU) documentation. When the security expert asked the company why he had been credited, Oracle replied that it was in acknowledgement of his report of a critical security hole in 2008, and that the hole had now been fixed. Koret therefore proceeded to publish details about the vulnerability, explained how it can be exploited and recommended that users install the latest CPU patches to protect their systems. However, it then turned out that there aren’t actually any patches for any of the currently available Oracle database versions. The security fixes that were described by Oracle refer to the “main code line” only, which is the as yet unreleased Oracle 12. However, as virtually all installations in production use are affected, the vast majority of Oracle administrators have been left out in the cold and must take immediate action themselves.