Security Bytes

Jul 29 2008   10:07AM GMT

Emergency fix in the works for critical Oracle flaw

David Schneier David Schneier Profile: David Schneier

A dangerous new remotely exploitable vulnerability in one of Oracle Corp.’s key products has prompted the database giant to step outside its normal quarterly patch cycle and publish a workaround to help customers protect their networks.

The flaw in WebLogic Server and WebLogic Express enables an attacker to compromise a vulnerable machine without having to go through any authentication phase. There is exploit code available for the vulnerability and Oracle said in its advisory that the issue is as serious as they come. The company is working on an emergency patch for the problem, which it plans to publish soon. The vulnerability lies in the Apache plug-in for Oracle’s WebLogic server and is a buffer overflow, which could allow a remote attacker to use a special HTTP request to compromise the server. The attack could either crash the server or give the attacker the ability to run code. Oracle officials said the emergency patch response was the result of the vulnerability becoming public shortly after the company’s July 15 patch release.

“Unfortunately, the person(s) who published this vulnerability and associated exploit codes did not contact Oracle before publicly disclosing this issue. This means that the vulnerability was made public before providing Oracle an opportunity to develop an appropriate fix for this issue and notify its customers. In addition, the vulnerability was made public shortly after the publication of the July 15th Critical Patch Update, therefore prompting Oracle to issue an out of cycle security update,” Eric Maurice, marketing director at Oracle, said in a blog post on the issue.

1  Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • Doesn't_Matter
    The justification for the out of cycle patch is a bit childish...
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: