Oracle has urged customers to patch software against vulnerabilities that enable simple yet effective denial-of-service attacks against web servers.
The out-of-cycle patches for the latest versions of Fusion Middleware and Oracle Application Server address flaws in open source Apache web server components in the Oracle software. An attack tool that exploits the vulnerabilities, called "Apache Killer", has been in the wild since August at least.
"Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply security alert fixes as soon as possible," Oracle said in an advisory on Thursday.
The US computer emergency response team (US-Cert) urged Oracle users and administrators to review the advisory on Monday. The denial-of-service vulnerability lies in open-source web-server platform Apache HTTPD and affects versions of Oracle HTTP server products based on Apache 2.0 — Oracle Application Server 10g; and Apache 2.2 — Fusion Middleware 11g.
Apache Foundation has brought out two releases to address the flaws in Apache — Apache HTTP Server 2.2.20, and 2.2.21. Oracle declined to say on Monday whether it had implemented the fixes in Apache HTTP Server 2.2.21 in its own updates.
The holes in the software let a hacker launch a denial-of-service attack on Oracle HTTP Server, but not the underlying operating system, Oracle said in its advisory. The underlying range-header flaw allows a web client to trigger simultaneous requests for large amounts of overlapping data, overloading the server.
Oracle brought out the patch ahead of the scheduled update cycle due to the ease of an attack, Oracle software security assurance director Eric Maurice said in a blog post on Thursday.
"This vulnerability allows a malicious attacker to hang the Oracle HTTP Server product via an easy-to-deploy, unauthenticated network attack," said Maurice. "Due to the criticality of this vulnerability and particularly its ease of exploitation, Oracle decided to release fixes for the affected and supported products as soon as the testing for these fixes was completed, before the release of the next scheduled Critical Patch Update on October 18th 2011."
All customers should deploy the patch as soon as possible, even if they have already implemented workarounds, said Maurice. Oracle has found that many of the workarounds can cause "regression issues across the stack", he added.
Oracle has only released five out-of-cycle patches since 2005, indicating the severity of the possible outcomes of an attack, security company Sophos said in a blog post on Saturday.
"If you're an Oracle user, this patch is definitely recommended in a hurry," Sophos Asia Pacific head of technology Paul Ducklin said in the blog post. "The general unwillingness of Oracle to deviate from its once-every-three-months patch cycle spells one word, 'importance'."
Oracle is involved in open source development, including supporting the Apache Axis and Struts projects, and provides interfaces with Oracle products.