Oracle releases out-of-band patch for server hole

Oracle releases out-of-band patch for server hole

Summary: The business software maker has taken the unusual step of releasing an out-of-band patch for a critical WebLogic Server vulnerability

SHARE:
TOPICS: Security
0

Oracle has released a patch for a server flaw that can be exploited over a network without the use of a username or password.

The patch addresses a vulnerability in the Node Manager component of Oracle WebLogic Server, and affects the latest versions of the software, Oracle said in an advisory on Thursday.

It is highly unusual for Oracle to release an out-of-band patch for a critical flaw, as the company usually prefers to release critical patch updates every three months.

On Windows versions of WebLogic Server 9.0 and later, the flaw has a maximum Common Vulnerability Scoring System (CVSS) score of 10, according to the Oracle advisory. Linux and Unix versions were given a lower CVSS score due to the lower impact of the vunerability on those systems.

The software maker recommended that customers apply the patch immediately. In addition, as Oracle patches are cumulative at sub-component level, it urged customers to implement the fixes it pushed out in January 2010 and earlier.

Workarounds for the issue include restricting access to the Node Manager port through a firewall or some other network access control device, Oracle said. Access to this port should be given only to a trusted user or subnet, Oracle added.

In January, security researcher Evgeny Legerov published an exploit for a hole in WebLogic Server as part of the Week of Web Server bugs. The bug lies in an optional Node Manager utility that supports several commands, but does not ask for authentication for some of the commands, Legerov said in a blog post. Oracle did not mention Legerov's bug in its advisory, so it is unclear whether its patch will address the flaw.

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for ZDNet.com. He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

0 comments
Log in or register to start the discussion