Oracle warns over unpatched vuln
Zero-day BEA WebLogic flaw gets up Oracle's bonnet
Oracle has decided to break its quarterly update release cycle with plans to develop a patch against a zero-day exploit.
The planned fix addresses a buffer overflow flaw in Oracle WebLogic Server which creates a means for hackers to plant malware onto targeted systems. By sending a specially-malformed HTTP POST request attackers might be able to assault vulnerable systems without needing either user names or passwords, an alert on the bug by IBM's X-force security division warns .
Multiple versions of Oracle (formerly BEA) WebLogic are affected. In an advisory  published on Monday, Oracle said it had advised dWebLogic customers about workarounds while it develops a patch to address the root cause of the flaw, which stems from a failure to properly check bounds in the Apache Connector component of the enterprise package.
The planned patch will be to first to be released outside the three-monthly release cycle Oracle introduced three years ago in January 2005. Oracle criticised a decision by independent security researchers to post details of the vulnerability and exploit code before giving it the opportunity to develop a patch.
The flaw rates 10.0 out of 10 - double plus critical - according to the Common Vulnerability Scoring System (CVSS), a cross-industry scheme designed to standardise the ratings of vulnerabilities.
The vulnerability - which affected a wide variety of its enterprise software packages - was made public days after Oracle released 45 security patches as part of its summer update  patch cycle on 15 July. ®