Oracle releases out-of-band patch for server hole

Oracle has released a patch for a server flaw that can be exploited over a network without the use of a username or password.

The patch addresses a vulnerability in the Node Manager component of Oracle WebLogic Server, and affects the latest versions of the software, Oracle said in an advisory on Thursday.

It is highly unusual for Oracle to release an out-of-band patch for a critical flaw, as the company usually prefers to release critical patch updates every three months.

On Windows versions of WebLogic Server 9.0 and later, the flaw has a maximum Common Vulnerability Scoring System (CVSS) score of 10, according to the Oracle advisory. Linux and Unix versions were given a lower CVSS score due to the lower impact of the vunerability on those systems.

The software maker recommended that customers apply the patch immediately. In addition, as Oracle patches are cumulative at sub-component level, it urged customers to implement the fixes it pushed out in January 2010 and earlier.

Workarounds for the issue include restricting access to the Node Manager port through a firewall or some other network access control device, Oracle said. Access to this port should be given only to a trusted user or subnet, Oracle added.

In January, security researcher Evgeny Legerov published an exploit for a hole in WebLogic Server as part of the Week of Web Server bugs. The bug lies in an optional Node Manager utility that supports several commands, but does not ask for authentication for some of the commands, Legerov said in a blog post. Oracle did not mention Legerov's bug in its advisory, so it is unclear whether its patch will address the flaw.