Oracle: Three years and ten months without a patch

David Litchfield posted to Full-Disclosure pointing out more Oracle errata:

From: David Litchfield (
Date: Tue, 15 Nov 2005 13:12:41 -0000
Subject: [Full-disclosure] Three years and ten months without a patch

Whilst looking over old Oracle bugs I discovered that a fully patched Oracle server is still vulnerable to the old extproc flaw; this flaw, when exploited, allows a remote attacker without a userID and password to take control of the server. Why, you may ask, has a supported product gone for so long without a patch for a serious problem that was made public 3 years and 10 months ago and reported to Oracle over 4 years ago?


Litchfield’s mail contains a link to additional commentary with an answer to the question above. Oracle can spin this how they please, but I think Litchfield has hit the nail on the head.

Seeking an answer to this I found the following in Alert 57:

Currently, due to architectural constraints, there are no plans to release a patch for versions,, 8.1.6.x, 8.1.5.x,, 8.0.5.x, 7.3.x, or other patchsets of the supported releases.

What? Wait a minute. They managed to fix the flaw and deal with the same “architectural constraints” in other versions – why not A cynical observer might conclude that Oracle have deliberately left this unpatched in order to improve the chances of their user base upgrading to a version of Oracle that has a patch and having to part with more money. Oracle customers running, or any of the versions listed above would be right to feel indignant. This is exactly the kind of thing I was referring to when I posted this open letter.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: