Original URL: http://www.theregister.co.uk/2008/07/29/oracle_unpatched_weblogic_flaw/
Oracle warns over unpatched vuln
Zero-day BEA WebLogic flaw gets up Oracle's bonnet
Posted in Security, 29th July 2008 11:32 GMT
Free whitepaper – Hands on with Hyper-V 3.0 and virtual machine movement
Oracle has decided to break its quarterly update release cycle with plans to develop a patch against a zero-day exploit.
The planned fix addresses a buffer overflow flaw in Oracle WebLogic Server which creates a means for hackers to plant malware onto targeted systems. By sending a specially-malformed HTTP POST request attackers might be able to assault vulnerable systems without needing either user names or passwords, an alert on the bug by IBM's X-force security division warns [1].
Multiple versions of Oracle (formerly BEA) WebLogic are affected. In an advisory [2] published on Monday, Oracle said it had advised dWebLogic customers about workarounds while it develops a patch to address the root cause of the flaw, which stems from a failure to properly check bounds in the Apache Connector component of the enterprise package.
The planned patch will be to first to be released outside the three-monthly release cycle Oracle introduced three years ago in January 2005. Oracle criticised a decision by independent security researchers to post details of the vulnerability and exploit code before giving it the opportunity to develop a patch.
The flaw rates 10.0 out of 10 - double plus critical - according to the Common Vulnerability Scoring System (CVSS), a cross-industry scheme designed to standardise the ratings of vulnerabilities.
The vulnerability - which affected a wide variety of its enterprise software packages - was made public days after Oracle released 45 security patches as part of its summer update [3] patch cycle on 15 July. ®