Since it was first disclosed, I’ve been talking to lots of folks about the Oracle “TNS poison” vulnerability that’s out there.
Mostly, the talk has been focused on understanding the risks and implementing appropriate workarounds. But there seems to almost always come a time in the conversation when someone asks, “How can this be?”
It’s stunning to consider that Oracle sat on this issue for so long. It’s a critical vulnerability that fully compromises any Oracle database. It’s easy to exploit, requires no authentication, and it’s almost undetectable using built-in database features. But through the years and through a major database release, it remained unfixed and under wraps.