Oracle rushes out patch for gaping server hole

Oracle has released an out-of-band patch to fix a gaping security hole in the Oracle WebLogic Node Manager and warned that an attacker could launch remote attacks over a network without the need for a username and password.

The patch follows the public release of exploit code as part of the recent Week of Web Server Bugs.

From Oracle's advisory:

A successful exploitation of this vulnerability may result in a full compromise of the targeted server on Windows. On other platforms (Unix, Linux, etc.), the attacker may gain access to the targeted server with the same privileges as the WebLogic server processes. This kind of vulnerability further highlights the need to use "least privilege" as much as possible on operating systems for running sensitive processes and applications. Additionally, note that many organizations have firewall policies preventing connection to the Node Manager administrative port by external users, thus preventing the exploitation of the vulnerability by anonymous Internet users.

Oracle is "strongly recommending" that this fix is applied immediately.

Here is the link to Oracle's patch information.  And here is the exploit code released by Evgeny Legerov.

It is very rare for Oracle to ship patches outside of its quarterly Critical Patch Update schedule.