Wednesday, July 30, 2008

Out of Cycle Security Update from Oracle

For the first time since the introduction of its quarterly Critical Patch Update process in 2005, Oracle has released an emergency alert to offer mitigation for a zero-day vulnerability that's been published on the Internet.

The emergency workaround, available here, addresses an unpatched vulnerability that's remotely exploitable without authentication (no username and password required to exploit over the network) and can result in compromising the confidentiality, integrity, and availability of the targeted system.

Oracle's Eric Maurice says the vulnerability carries a CVSS Base Score of 10.0, the maximum severity rating.

This IBM ISS alert provides some technical details:

Oracle WebLogic Server (formerly known as BEA WebLogic Server) is vulnerable to a buffer overflow, caused by improper bounds checking by the Apache Connector. By sending a specially-crafted HTTP POST request, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the server to crash.