Oracle Sounds Alert Over Unpatched WebLogic Server Flaw
Hackers have released exploit codes for an unpatched flaw affecting the Apache plug-in for Oracle's WebLogic Server. While Oracle prepares a patch for the vulnerability, it has provided information on workarounds to help ensure enterprise security.Oracle officials are issuing a red alert regarding a flaw affecting the Apache plug-in for Oracle WebLogic after exploit codes for the vulnerability were posted in public forums. The flaw affects a number of versions of Oracle WebLogic Server--formerly BEA WebLogic Server--and can be exploited remotely by a hacker without authentication to execute code or cause the server to crash. With a CVSS score of 10.0, the situation was considered serious enough for Oracle to release its first emergency alert since it began its Critical Patch Update process in 2005.
"Unfortunately, the person(s) who published this vulnerability and associated exploit codes did not contact Oracle before publicly disclosing this issue," Eric Maurice, software security assurance director at Oracle, wrote in a blog posting July 28. "This means that the vulnerability was made public before providing Oracle an opportunity to develop an appropriate fix for this issue and notify its customers."