ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Oracle rushes out patch for gaping server hole

By | February 5, 2010, 1:17pm PST

Summary: The patch follows the public release of exploit code as part of the recent Week of Web Server Bugs.

Oracle has released an out-of-band patch to fix a gaping security hole in the Oracle WebLogic Node Manager and warned that an attacker could launch remote attacks over a network without the need for a username and password.

The patch follows the public release of exploit code as part of the recent Week of Web Server Bugs.

From Oracle’s advisory:

A successful exploitation of this vulnerability may result in a full compromise of the targeted server on Windows. On other platforms (Unix, Linux, etc.), the attacker may gain access to the targeted server with the same privileges as the WebLogic server processes. This kind of vulnerability further highlights the need to use “least privilege” as much as possible on operating systems for running sensitive processes and applications. Additionally, note that many organizations have firewall policies preventing connection to the Node Manager administrative port by external users, thus preventing the exploitation of the vulnerability by anonymous Internet users.

Oracle is “strongly recommending” that this fix is applied immediately.

Here is the link to Oracle’s patch information.  And here is the exploit code released by Evgeny Legerov.

It is very rare for Oracle to ship patches outside of its quarterly Critical Patch Update schedule.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Oracle Corp., Vulnerability, Patches, Security, Firewalls, Networking, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
18
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Oracle rushes out patch for gaping server hole
efsane Updated - 8th Apr 2011
Well done! Thank you very much for professional templates and community edition
sesli sohbet sesli chat
View in thread
0 Votes
+ -
It must be a slow day...let me kick this off...
storm14k 5th Feb 2010
Windows -> full control of system
Linux/Unix -> privileges of the Weblogic process
only (depending on your setup may not amount to
much)

So go ahead and explain folks how theres no
difference in Windows and Linux security. happy
0 Votes
+ -
Ok, Windows has better security
honeymonster Updated - 5th Feb 2010
Only Oracle/Weblogic has clearly chosen not to take advantage of it.

For these types of applications (services) Windows features MAC (mandatory access control). It is called service hardening. Basically what it does is to transparently create a specific account for each service. This means that even if the service runs as "local system" (akin to root) - the process privileges has effectively been dropped to only allow access to resources specifically granted.

It gets worse. WebLogic/Oracle must actually be running the server as "local system" - even though the recommended account for these types of services is "network service" or "local service".

These accounts are "regular users" on the machine - they do not have system privileges.

Clearly the weblogic installation for Windows has been made by *nix engineers with little understanding of Windows security infrastructure. Had it been set up correctly these types of compromises are not possible.

BTW - I think WebLogic is often set up to run as root on *nix as well. That is equally stupid.

(IIS is set up to run as "Network Service")
0 Votes
+ -
Thats all?
storm14k 5th Feb 2010
I guess it must be late on a Friday lol.
0 Votes
+ -
Troll alert. Please don't respond to this poster
honeymonster Updated - 5th Feb 2010
My bad for believing he actually wanted information.

Should have seen that. Please don't repeat my mistake.
0 Votes
+ -
Yes, anyone wanting more information before they will share your..
AzuMao 6th Feb 2010
..point of view must be a troll. Thanks for going out of your way to let us all know that, so that people who read both posts but didn't think he was a troll, will now be enlightened to the truth.
0 Votes
+ -
Nope ... but he did refute the OP
georgef 6th Feb 2010
How much more information do you need - honeymonster had a pretty good rebuttal actually and yet all that comes back is a smarmy response. Based on his info i see the point about how it was probably a UNIX programmer writing the Windows port.

if this wre a debate I would think Honeynonster won and storm14k and Azumac lost. Your post is baffling though - he wasnt even trying to get someone to share his point of view - just answering the challenge .. which again .. he won.
(I am assuming honeymonster is a he ... not sure why...)
0 Votes
+ -
I like how..
AzuMao 6th Feb 2010
..you only manage to spell the alleged troll's
name correctly, and also how you think someone can
lose something they havn't participated in.
  • Flagged
0 Votes
+ -
Man you cats are uptight.
storm14k 7th Feb 2010
I saw this article and saw that the normal
Linux/Windows fight had not begun so I started it
as a joke. I'd think most people would find it
quite obvious that the Windows installs must have
root permissiosn. At that point its down to why
and whether it can be changed on a per install
basis.
0 Votes
+ -
Last time I checked, the Oracle RDBMS was closed source and ran on Windows.
AzuMao Updated - 6th Feb 2010
Speaking of Windows, it's nice how Oracle fixes vulnerabilities in their products as soon as they are found rather than weeks/months/years later like Microsoft.



There's no difference since they are both less than 100% perfect, which, according to MS apologists, makes them the same.
0 Votes
+ -
Let me help you out...
ye Updated - 7th Feb 2010
Windows -> privileges of the Weblogic process
only (with Weblogic choosing a privileged account instead of a separate account)
Linux/Unix -> privileges of the Weblogic process only (depending on your setup may not amount to much)

So go ahead and explain folks how theres no
difference in Windows and Linux security.

Windows provides the exact same mechanism as UNIX. If Weblogic chose to use a privileged account then that's a problem with their choice and not Windows forcing it upon them. You're welcome.
0 Votes
+ -
Yes, but why?
914four 11th Feb 2010
"If Weblogic chose to use a privileged account then that's a problem with their choice and not Windows forcing it upon them."
Why would they make this choice? Perhaps it's because historically they had to and they've simply not adapted once they no longer had to?
0 Votes
+ -
Blaming Oracle for not "properly" supporting Windows..
AzuMao 11th Feb 2010
..is like blaming Microsoft for Windows Live Games not
running "properly" under *nix systems. You're welcome.
0 Votes
+ -
*nix apps ported to Windows used to be unsecurable
ejhonda 8th Feb 2010
The vendors don't do a very good job at porting these *nix apps to Windows. They do a slap-dash job of it even from a normal functionality standpoint, and I've seen where they don't use best practices as far as OS security goes (relying on full admin privileges to run functions, etc - you know, all the stuff you don't want to have in place for proper security).

IBM's WebSphere was a prime example of this back when it first came out. I had an idiot support rep at IBM come right and tell me that IBM didn't bother to code their crap securely for Windows because they figured if a customer was interested in security, then you'd be on a *nix platform (that's almost verbatim). I went to a few choice forums and started to alert others to this attitude, and the next thing I know I'm getting a phone call from some IBM VP asking to discuss the problem with her. SANS wanted my company to become the poster child for this problem by going very public with the problem - 3rd party apps not running on properly secured Windows platforms - but we didn't want the publicity.

So, it's not always a Windows issue. Sometimes, it the application vendor's issue.
0 Votes
+ -
Exactly.
AzuMao 8th Feb 2010
Just like the (now non-existent) problems of
driver support were not a Linux issue, but rather
a manufacturer issue, and the current lack of
games is also not a Linux issue, but rather a game
vendor's issue.
0 Votes
+ -
Is Oracle trying to back-handedly diss Windows?
Roque Mocan 7th Feb 2010
Does these Oracle web services run on Windows only with a service account with full access? Why can't it be installed with a service account with lesser privileges, like many other products?
0 Votes
+ -
Probably ignorance
honeymonster Updated - 7th Feb 2010
Windows is not the premium platform for
deployment of WebLogic. I believe Solaris and
Linux are the most common platforms for
WebLogic.

Seems like there's a good chance that the
windows installer was made by *nix engineers
with little understanding (and little respect)
of the Windows least privilege principles,
service isolation and -hardening.

If a service genuinely needs to run as "local
system" - which is not quite "root" but almost
- best practice is to use hardening. Windows
allows a per-service security configuration
which will severely limit what a service can
do, even though it is running as "local
system". Basically the installer then needs to
explicitly grant access to any resource
the service may need to legitimately access.
Any other access is prohibited.

Windows features two other accounts intended
for services: "Local Service" and "Network
Service". These two accounts are not privileged
- rather they are "regular users" on a system.
The "network" variant is allowed to represent
the machine on the network.

For the consequences outlined in the advisory,
one can deduce that WebLogic is running as
"local system" with NO hardening.

Had they been running WL under "network
service" or "local service" system compromise
is not possible even if the process is
completely taken over.

Had they been running WL with a per-service SID
(hardening) it would also not be possible to
compromise the system as the SID would need to
be granted access rights to resources,
regardless of which account it was running
under. Basically, the service would be limited
by *both*.

It is a stretch to believe that this was
purposeful to paint a unflattering picture of
Windows.

"Never attribute to malice that which is
adequately explained by stupidity."
--Robert J. Hanlon


In this case I believe it is simply a
combination of ignorance and other priorities.
0 Votes
+ -
Well said Honey!
914four 11th Feb 2010
I have to admit that I used to lump you in with Loverock, however I am impressed with your impartial analysis in this case. I will pay more attention to your responses in the future.
0 Votes
+ -
RE: Oracle rushes out patch for gaping server hole
efsane Updated - 8th Apr 2011
Well done! Thank you very much for professional templates and community edition
sesli sohbet sesli chat

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix