Newman said that the most egregious security hole discussed in Kornbrusts research note involves password-protecting the Listener. Listener is a proxy between the client and the Oracle database. When you connect to the database, you connect to the Listener, which hands you off to the database. By default, Listener lacked a password on Oracle 9i and earlier versions. Without putting a password on Listener in those earlier versions, somebody could take full control of the database, Newman said. As it is, there are Listener attack tools available on the Internet.In Kornbrusts research note, he points to a January 2005 dialogue between a user and an Oracle employee in which the user asked if he or she needed to password-protect the Listener. The answer from the Oracle employee was, "I know no one likes to use the password protection in the Listener. I used to be one of the first people to turn it off when working with [customers]." Kornbrust called it a "funny comment from an Oracle employee. I believe she is not aware how easy it is to become DBA [database administrator] or destroy a database via an unprotected Listener." In the dialogue, the employee continued on to emphasize the importance to database security of password-protecting the Listener. However, Newman said, its scary to think that Oracle employees had once been in the habit of turning it off. "The point [Kornbrust] is making is an employee in Metalink is saying, I removed the password whenever somebody turned this on," Newman said. "Which means the employee is turning the security to Off and leaving a big, wide hole in Oracle. Its kind of a reflection on Hey, people need to start thinking security is important. If Oracle employees are out there turning security off, its a little bit scary." Pete Finnigan, founder of PeteFinnigan.com Ltd., a British firm that specializes in Oracle and security, said he found the employee note "funny, sad and worrying at the same time. "This is a serious issue for Oracle: explosive, in fact!" Finnigan wrote in an e-mail. "It also has much wider implications for many other companies big and small that use public searchable knowledge bases for their customers. Security is becoming more of a widespread issue and researchers and hackers alike will look for bugs everywhere. Companies need to be very aware of what they write down and publish. They also need to filter all input through the security department to ensure that security bugs are not made public in this way." Meanwhile, users of Metalink should also take precaution, Kornbrust warned in his research note, by using a free Webmail account in forum entries where possible. He also advises Oracle customers to make configuration files anonymous before posting on Metalink and to remove passwords before posting content. Also, if Metalink users report a bug to Oracle, Kornbrust recommends that they think about the possibility of the bug being relevant to security and to escalate the issue if necessary. "Even if this costs additional time, it makes Oracle more secure in the long run," he wrote. Check out eWEEK.coms for the latest database news, reviews and analysis.
Although the Listener problem has been known for several years, it doesnt mean that all pre-10g versions are patched, Newman said, and the majority of active Oracle databases do in fact predate 10g.