Oracle left what researchers called a “mega 0-day” unpatched for six months after it was reported to the enterprise software vendor, leaving multiple large corporations open to potential exploitation.
Security researchers Jang and Peterjson discovered what they named The Miracle Exploit, which affects many products based on Oracle Fusion Middleware due to a deserialisation bug in the ADF Faces component of the software.
It is a remote code execution bug that can be exploited without authentication, with Oracle issuing a fix for the issue in its 520-patch set of security updates released in April this year.
To demonstrate the bug, the researchers hacked Oracle web properties such as login.oracle.com which provides access to the company’s online services.
The researchers did this to emphasise the seriousness of the vulnerability.
“Why we hack some Oracle’s sites?
“Because we want to demonstrate the impact to Oracle and let them know this vulnerability is super dangerous it affects Oracle system and Oracle’s customers.
“That’s why we want Oracle take an action ASAP.
“But as you can see, 6 months for Oracle to patch it, I don’t know why, but we have to accept it and follow Oracle’s policy,” the researcher wrote, in a blog post describing the bug’s discovery in detail.
The patch itself was relatively simple, with Oracle applying only some minor code changes, the researchers observed.
After the patch was released, the researchers reported the vulnerability to several corporations such as the NAB Group, BestBuy, Starbucks, Dell, Regions Bank and the United States Automobile Assocation, through the companies’ bug bounty programmes.