14 DAY TRIAL // The vulnerability in question is rated as highly critical, ranking in at 10.0 on the CVSS (Common Vulnerability Scoring System), and it is the first time since 2005 that Oracle breaks the quarterly update release cycle to address a security issue. The Apache plugin for Oracle WebLogic (you might know it under its former name, BEA WebLogic) suffers from a buffer overflow vulnerability that may allow a hacker to plant malicious software onto a particular machine.
"Unfortunately, the person(s) who published this vulnerability and associated exploit codes did not contact Oracle before publicly disclosing this issue. This means that the vulnerability was made public before providing Oracle an opportunity to develop an appropriate fix for this issue and notify its customers. In addition, the vulnerability was made public shortly after the publication of the July 15th Critical Patch Update, therefore prompting Oracle to issue an out of cycle security update," says Eric Maurice from Oracle.
Once the Oracle team found out about the vulnerability, which has been named CVE-2008-3257, it got right to work on trying to find a fix. The first counter measure that the development team came up with was a "recommended workaround", and all Oracle users were advised to read it and implement the measures presented within. As of yesterday, the 28th of July, Oracle has announced that a patch will also be made available.
"We expect this fix to be ready very soon, and we will issue an updated Security Alert to let customers know about its availability. In the meanwhile, we recommend that all customers implement the recommended workaround," said Eric Maurice.
The recently discovered vulnerability in the Oracle software further adds to the debate that disclosing security vulnerabilities aids attackers. On the one hand, an attacker does not have to spend huge amounts of time looking for vulnerabilities because technical details are already available on the web. On the other hand, by making such information available to the general public, the software manufacturer is forced to take action and address the situation.
The best course of action would be to inform the software provider about the situation and allow its research team to come up with a fix. After the vulnerability has been fixed, one can release technical details about the vulnerability.