Oracle rushes out patch for gaping server hole
Summary: The patch follows the public release of exploit code as part of the recent Week of Web Server Bugs.
Oracle has released an out-of-band patch to fix a gaping security hole in the Oracle WebLogic Node Manager and warned that an attacker could launch remote attacks over a network without the need for a username and password.
The patch follows the public release of exploit code as part of the recent Week of Web Server Bugs.
From Oracle's advisory:
A successful exploitation of this vulnerability may result in a full compromise of the targeted server on Windows. On other platforms (Unix, Linux, etc.), the attacker may gain access to the targeted server with the same privileges as the WebLogic server processes. This kind of vulnerability further highlights the need to use "least privilege" as much as possible on operating systems for running sensitive processes and applications. Additionally, note that many organizations have firewall policies preventing connection to the Node Manager administrative port by external users, thus preventing the exploitation of the vulnerability by anonymous Internet users.
Oracle is "strongly recommending" that this fix is applied immediately.
Here is the link to Oracle's patch information. And here is the exploit code released by Evgeny Legerov.
It is very rare for Oracle to ship patches outside of its quarterly Critical Patch Update schedule.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
It must be a slow day...let me kick this off...
Linux/Unix -> privileges of the Weblogic process
only (depending on your setup may not amount to
much)
So go ahead and explain folks how theres no
difference in Windows and Linux security. :-)
Ok, Windows has better security
For these types of applications (services) Windows features MAC (mandatory access control). It is called <i>service hardening</i>. Basically what it does is to transparently create a specific account for each service. This means that even if the service runs as "local system" (akin to root) - the process privileges has effectively been dropped to only allow access to resources specifically granted.
It gets worse. WebLogic/Oracle must actually be running the server as "local system" - even though the recommended account for these types of services is "network service" or "local service".
These accounts are "regular users" on the machine - they do not have system privileges.
Clearly the weblogic installation for Windows has been made by *nix engineers with little understanding of Windows security infrastructure. Had it been set up correctly these types of compromises are not possible.
BTW - I think WebLogic is often set up to run as root on *nix as well. That is equally stupid.
(IIS is set up to run as "Network Service")
Thats all?
Troll alert. Please don't respond to this poster
Should have seen that. Please don't repeat my mistake.
Yes, anyone wanting more information before they will share your..
Nope ... but he did refute the OP
if this wre a debate I would think Honeynonster won and storm14k and Azumac lost. Your post is baffling though - he wasnt even trying to get someone to share his point of view - just answering the challenge .. which again .. he won.
(I am assuming honeymonster is a he ... not sure why...)
I like how..
name correctly, and also how you think someone can
lose something they havn't participated in.
Man you cats are uptight.
Linux/Windows fight had not begun so I started it
as a joke. I'd think most people would find it
quite obvious that the Windows installs must have
root permissiosn. At that point its down to why
and whether it can be changed on a per install
basis.
Last time I checked, the Oracle RDBMS was closed source and ran on Windows.
There's no difference since they are both less than 100% perfect, which, according to MS apologists, makes them the same.
Let me help you out...
only (with Weblogic choosing a privileged account instead of a separate account)
Linux/Unix -> privileges of the Weblogic process only (depending on your setup may not amount to much)
[i]So go ahead and explain folks how theres no
difference in Windows and Linux security.[/i]
Windows provides the exact same mechanism as UNIX. If Weblogic chose to use a privileged account then that's a problem with their choice and not Windows forcing it upon them. You're welcome.
Yes, but why?
Why would they make this choice? Perhaps it's because historically they had to and they've simply not adapted once they no longer had to?
Blaming Oracle for not "properly" supporting Windows..
running "properly" under *nix systems. You're welcome.
*nix apps ported to Windows used to be unsecurable
IBM's WebSphere was a prime example of this back when it first came out. I had an idiot support rep at IBM come right and tell me that IBM didn't bother to code their crap securely for Windows because they figured if a customer was interested in security, then you'd be on a *nix platform (that's almost verbatim). I went to a few choice forums and started to alert others to this attitude, and the next thing I know I'm getting a phone call from some IBM VP asking to discuss the problem with her. SANS wanted my company to become the poster child for this problem by going very public with the problem - 3rd party apps not running on properly secured Windows platforms - but we didn't want the publicity.
So, it's not always a Windows issue. Sometimes, it the application vendor's issue.
Exactly.
driver support were not a Linux issue, but rather
a manufacturer issue, and the current lack of
games is also not a Linux issue, but rather a game
vendor's issue.
Is Oracle trying to back-handedly diss Windows?
Probably ignorance
deployment of WebLogic. I believe Solaris and
Linux are the most common platforms for
WebLogic.
Seems like there's a good chance that the
windows installer was made by *nix engineers
with little understanding (and little respect)
of the Windows least privilege principles,
service isolation and -hardening.
If a service genuinely needs to run as "local
system" - which is not quite "root" but almost
- best practice is to use hardening. Windows
allows a per-service security configuration
which will severely limit what a service can
do, even though it is running as "local
system". Basically the installer then needs to
explicitly <i>grant</i> access to any resource
the service may need to legitimately access.
Any other access is prohibited.
Windows features two other accounts intended
for services: "Local Service" and "Network
Service". These two accounts are not privileged
- rather they are "regular users" on a system.
The "network" variant is allowed to represent
the machine on the network.
For the consequences outlined in the advisory,
one can deduce that WebLogic is running as
"local system" with NO hardening.
Had they been running WL under "network
service" or "local service" system compromise
is not possible even if the process is
completely taken over.
Had they been running WL with a per-service SID
(hardening) it would also not be possible to
compromise the system as the SID would need to
be granted access rights to resources,
regardless of which account it was running
under. Basically, the service would be limited
by *both*.
It is a stretch to believe that this was
purposeful to paint a unflattering picture of
Windows.
<i>"Never attribute to malice that which is
adequately explained by stupidity."</i>
--Robert J. Hanlon
In this case I believe it is simply a
combination of ignorance and other priorities.
Well said Honey!
RE: Oracle rushes out patch for gaping server hole
<a href="http://www.yuregininsesi.com">sesli sohbet</a> <a href="http://www.yuregininsesi.com">sesli chat</a>