Researchers hacked Oracle servers to demo serious vulnerability

By

The "Miracle Exploit" left unpatched for six months.

Oracle left what researchers called a "mega 0-day" unpatched for six months after it was reported to the enterprise software vendor, leaving multiple large corporations open to potential exploitation.

Researchers hacked Oracle servers to demo serious vulnerability

Security researchers Jang and Peterjson discovered what they named The Miracle Exploit, which affects many products based on Oracle Fusion Middleware due to a deserialisation bug in the ADF Faces component of the software.

It is a remote code execution bug that can be exploited without authentication, with Oracle issuing a fix for the issue in its 520-patch set of security updates released in April this year.

To demonstrate the bug, the researchers hacked Oracle web properties such as login.oracle.com which provides access to the company's online services.

The researchers did this to emphasise the seriousness of the vulnerability.

"Why we hack some Oracle’s sites?

"Because we want to demonstrate the impact to Oracle and let them know this vulnerability is super dangerous  it affects Oracle system and Oracle’s customers.

"That’s why we want Oracle take an action ASAP.

"But as you can see, 6 months for Oracle to patch it, I don’t know why, but we have to accept it and follow Oracle’s policy," the researcher wrote, in a blog post describing the bug's discovery in detail.

The patch itself was relatively simple, with Oracle applying only some minor code changes, the researchers observed.

After the patch was released, the researchers reported the vulnerability to several corporations such as the NAB Group, BestBuy, Starbucks, Dell, Regions Bank and the United States Automobile Assocation, through the companies' bug bounty programmes. 

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

Qantas facing 'significant' data theft after cyber attack

Qantas facing 'significant' data theft after cyber attack

Home Affairs officer accessed data on "friends and associates"

Home Affairs officer accessed data on "friends and associates"

International Criminal Court hit by cyber attack

International Criminal Court hit by cyber attack

Ex-student charged over Western Sydney University cyberattacks

Ex-student charged over Western Sydney University cyberattacks

Log In

  |  Forgot your password?