Oracle, which did not respond to a request for comment, patched the flaw in the latest upgrade of the authentication protocol, version 12. However, the company is not planning a patch for the flawed version, 11.1, Fayo said. Even with the upgrade, database administrators have to configure the server to only allow the new version of the protocol.

Because the fix requires an upgrade, the vulnerability will hound some Oracle customers for years, said Justin Clarke, a security researcher at Cylance.

"There are many large companies and critical infrastructure agencies which cannot afford the time or risk to upgrade all their Oracle clients and servers," Clarke said. "I can say with near certainty that we will see this vulnerability as long as Oracle 11g remains in use."

Previous flaws in Oracle's authentication protocol have been a well-kept secret in the security industry, Clarke said. "It's great to see that issues like this are being discussed publicly, and I hope that this helps serve as a wake-up call for Oracle and its users to dig deeper and assess the actual strength of systems."