Original URL: http://www.theregister.co.uk/2008/07/29/oracle_unpatched_weblogic_flaw/
Oracle warns over unpatched vuln
Zero-day BEA WebLogic flaw gets up Oracle's bonnet
Posted in Enterprise Security, 29th July 2008 11:32 GMT
Free whitepaper – Rack mount solutions
Oracle has decided to break its quarterly update release cycle with plans to develop a patch against a zero-day exploit.
The planned fix addresses a buffer overflow flaw in Oracle WebLogic Server which creates a means for hackers to plant malware onto targeted systems. By sending a specially-malformed HTTP POST request attackers might be able to assault vulnerable systems without needing either user names or passwords, an alert on the bug by IBM's X-force security division warns (http://xforce.iss.net/xforce/xfdb/43885).
Multiple versions of Oracle (formerly BEA) WebLogic are affected. In an advisory (http://blogs.oracle.com/security/2008/07/security_alert_for_cve-2008-3257_released.html) published on Monday, Oracle said it had advised dWebLogic customers about workarounds while it develops a patch to address the root cause of the flaw, which stems from a failure to properly check bounds in the Apache Connector component of the enterprise package.
The planned patch will be to first to be released outside the three-monthly release cycle Oracle introduced three years ago in January 2005. Oracle criticised a decision by independent security researchers to post details of the vulnerability and exploit code before giving it the opportunity to develop a patch.
The flaw rates 10.0 out of 10 - double plus critical - according to the Common Vulnerability Scoring System (CVSS), a cross-industry scheme designed to standardise the ratings of vulnerabilities.
The vulnerability - which affected a wide variety of its enterprise software packages - was made public days after Oracle released 45 security patches as part of its summer update (http://www.us-cert.gov/current/index.html#oracle_releases_critical_patch_update3) patch cycle on 15 July. ®