Oracle rushes to patch serious flaw

Oracle late yesterday issued a rare out-of-cycle patch for a public flaw in its application server products that can be exploited remotely, without authentication.

The emergency patch replaces workarounds the vendor issued last week in a rare security warning about a vulnerability in the Apache plug-in for the application servers, Oracle WebLogic (formerly BEA WebLogic) Server and Express products.

Oracle advised administrators to apply the patch immediately, which replaces the vulnerable Apache plug-in with an updated version "to remedy this issue without the use of workarounds," it said.

The warning said that the flaw could be exploited remotely "over a network without the need for a username and password," compromising "the confidentiality, integrity and availability of the targeted system".

Accordingly the flaw was rated 10 on the Common Vulnerability Scoring System (CVSS) the risk evaluation framework's most severe rating.

This is the first time in three years, since Oracle began patching its systems in a regular quarterly update cycle, it has issued a security warning and patch outside its normal patch cycle.

The last Critical Patch Update Oracle issued was mid-July, but none of the flaws fixed then were as severe as this most recent Apache plug-in vulnerability.

Miya Knights

A 25-year veteran enterprise technology expert, Miya Knights applies her deep understanding of technology gained through her journalism career to both her role as a consultant and as director at Retail Technology Magazine, which she helped shape over the past 17 years. Miya was educated at Oxford University, earning a master’s degree in English.

Her role as a journalist has seen her write for many of the leading technology publishers in the UK such as ITPro, TechWeekEurope, CIO UK, Computer Weekly, and also a number of national newspapers including The Times, Independent, and Financial Times.