A dangerous new remotely exploitable vulnerability in one of Oracle Corp.’s key products has prompted the database giant to step outside its normal quarterly patch cycle and publish a workaround to help customers protect their networks.
The flaw in WebLogic Server and WebLogic Express enables an attacker to compromise a vulnerable machine without having to go through any authentication phase. There is exploit code available for the vulnerability and Oracle said in its advisory that the issue is as serious as they come. The company is working on an emergency patch for the problem, which it plans to publish soon. The vulnerability lies in the Apache plug-in for Oracle’s WebLogic server and is a buffer overflow, which could allow a remote attacker to use a special HTTP request to compromise the server. The attack could either crash the server or give the attacker the ability to run code. Oracle officials said the emergency patch response was the result of the vulnerability becoming public shortly after the company’s July 15 patch release.
“Unfortunately, the person(s) who published this vulnerability and associated exploit codes did not contact Oracle before publicly disclosing this issue. This means that the vulnerability was made public before providing Oracle an opportunity to develop an appropriate fix for this issue and notify its customers. In addition, the vulnerability was made public shortly after the publication of the July 15th Critical Patch Update, therefore prompting Oracle to issue an out of cycle security update,” Eric Maurice, marketing director at Oracle, said in a blog post on the issue.