For the first time since the introduction of its quarterly Critical Patch Update process in 2005, Oracle has released an emergency alert to offer mitigation for a zero-day vulnerability that's been published on the Internet.
The emergency workaround, available here, addresses an unpatched vulnerability that's remotely exploitable without authentication ( it may be exploited over the network without the need for a username and password) and can result in compromising the confidentiality, integrity, and availability of the targeted system.
Oracle's Eric Maurice says the vulnerability carries a CVSS Base Score of 10.0, the maximum severity rating:
When Oracle became aware of this issue, our security and development teams worked diligently to develop an effective workaround to prevent a successful exploitation of the vulnerability. Detailed instructions for this workaround have been posted on the eSupport site, and Oracle has already issued a Security Alert to all WebLogic customers to let them know about this workaround. In addition, Oracle will also issue an out-of-cycle security patch for this vulnerability as soon as the fix has been produced for all supported version-platform combinations. We expect this fix to be ready very soon, and we will issue an updated Security Alert to let customers know about its availability. In the meanwhile, we recommend that all customers implement the recommended workaround.
Unfortunately, the person(s) who published this vulnerability and associated exploit codes did not contact Oracle before publicly disclosing this issue. This means that the vulnerability was made public before providing Oracle an opportunity to develop an appropriate fix for this issue and notify its customers. In addition, the vulnerability was made public shortly after the publication of the July 15th Critical Patch Update, therefore prompting Oracle to issue an out of cycle security update.
This IBM ISS alert provides some technical details:
Oracle WebLogic Server (formerly known as BEA WebLogic Server) is vulnerable to a buffer overflow, caused by improper bounds checking by the Apache Connector. By sending a specially-crafted HTTP POST request, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the server to crash.
The emergency alert comes less than two weeks after the database server giant shipped patches for a total of 45 security vulnerabilities, bringing the vulnerability count for 2008 to a whopping 112.
* Photo credit: eMaringolo's Flickr photostream (Creative Commons 2.0)