Oracle patched the denial-of-service vulnerability in Oracle Fusion Middleware and Application Server that could be exploited with the Apache Killer script.
Oracle issued
an emergency patch to fix a security vulnerability in Oracle application
servers that are based on the Apache Web server software.
Apache
developers rushed out a patch a few weeks ago to close a bug
that allowed attackers to launch denial-of-service (DoS) attacks on Web servers
running Apache 2.0 and 2.2. Oracle's out-of-band update would fix the same
issue on Oracle Fusion Middleware, Oracle Application Server and Oracle
Enterprise Manager, according to a critical patch update advisory from the
database giant Sept. 15. These systems are still commonly deployed in the
enterprise.
Without
needing a user name or password, attackers can remotely exploit the flaw that
sends extremely large blocks of information in the headers in Apache HTTP
Server. When the victim server tries to process the data, memory and CPU
resources are exhausted, resulting in a DoS attack. While the bug has been
known since 2007, a researcher posted an "Apache Killer" Perl script on the "Full
Disclosure" mailing list in August that made it easier to launch these
attacks.
"Due to
the threat posed by a successful attack, Oracle strongly recommends that
customers apply Security Alert fixes as soon as possible," Oracle said in
the security alert.
The issue also
exists in Apache 1.3, but Apache developers decided not to patch that version
because it was no longer supported. Similarly, Oracle patched only the most
recent versions that are based on Apache 2.0 and 2.2. The fix is available for
Oracle Fusion Middleware 11g Release 1, versions 11.1.1.3.0, 11.1.1.4.0 and
11.1.1.5.0; Oracle Application Server 10g Release 3, version 10.1.3.5.0; and
Oracle Application Server 10g Release 2, version 10.1.2.3.0.
Administrators
running a Mac-based server with Apache will still need to wait for Apple to
deliver a patch because the Web Server is bundled inside Mac OS X.
The issue is
"an urgent one," Kurt Baumgartner, a senior security researcher at
Kaspersky Lab, wrote on the SecureList blog. Attackers are targeting this
vulnerability, as evidenced by the fact that "simple Perl scripts are
publicly available," he said. Considering the number of high-profile site
takedowns that have already happened this year, site administrators are
"urged to spend another day patching ASAP," he added.
The National
Vulnerability Database has assigned a Common Vulnerability Scoring System (CVSS)
score of 7.8 for this vulnerability, according to the advisory, CVE-2011-3192. The score indicates that if
exploited, the vulnerability could result in a "complete operating system
denial of service."
Oracle
downgraded the CVSS rating on its own advisory to a 5.0 because "a
complete operating system denial of service is not possible on any platform
supported by Oracle." The HTTP Server on the servers will suffer denial of
service, but the actual system will remain up and running, the company claimed.
Oracle
assessed the vulnerability as serious enough to issue an out-of-band update
instead of waiting for its next Critical Patch Update release, scheduled for Oct.
18.
Considering
the seriousness of the bug and the speed Apache moved to patch the bug, it was
"surprising" that Oracle waited till mid-September to patch an issue
that was being publicly exploited, reported on and patched in August,
Baumgartner said.
Email
Print
