Severe Oracle Data Inventory vulnerabilities facilitate hacker intrusion

Oracle, the world's largest database software company, was recently disclosed by some experts, saying that some database login systems have serious vulnerabilities, which opens the door for hackers to search and tamper with data information. According to the Application Security researcher Esteban Martinez Fayo, the vulnerability exists on servers of Oracle Database versions 11.1 and 11.2, after a hacker suffers a strong attack, the authentication is completed. If successful, hackers will be able to access their databases.

According to Kevin Mitnick, founder of Mitnick Security Consulting, "informal paths in certification are very serious problems. In this way, hackers can access the database and even tamper with the data ."

It is understood that the Authentication Protocol protects the session key, which poses a high risk of a vulnerability, and the session key is transmitted to the user before the authentication program ends. Therefore, this vulnerability is exploited, hackers can remotely connect to find the corresponding user password through the session key.

"Once this happens, hackers can try millions of passwords every second until they find the correct one, so they can attack the session key ."

What's worse, because the attack can be completed before the authentication is completed, there will be no logon Failure records on the server, therefore, hackers can gain the opportunity to intrude into the system without making any major changes.

Oracle has not commented on the news.