14 DAY TRIAL // Oracle has officially released the patch for the security vulnerability in Apache plug-in for Oracle WebLogic that had been previously announced at the end of July.
On July 28, Oracle was forced to release a security advisory due to a newly discovered vulnerability in the Apache plug-in for Oracle WebLogic. This vulnerability, known as CVE-2008-3257, was rated with a 10.0 (High) on the CVSS (Common Vulnerability Scoring System) scale, because of the fact that no authentication was required in order to remotely exploit it and it affected "the confidentiality, integrity and availability of the targeted system."
The company was taken by surprise because someone released the exploit for this vulnerability without contacting it first. For this reason, it did not have the time to come up with an immediate fix and had to release a temporary workaround. "We expect this fix to be ready very soon, and we will issue an updated Security Alert to let customers know about its availability. In the meanwhile, we recommend that all customers implement the recommended workaround," Eric Maurice from Oracle said at that time.
This was the first time in three years that Oracle had to release a patch out of its regular patch cycle. The previous security advisory was updated to include the download link to the patch, mentioning that it "supersedes the previous version that provided only workarounds for this vulnerability."
This vulnerability affects the WebLogic Server and WebLogic Express products up to version 10.0, while the newly released 10.3 version is not affected because it includes this patch, which is also compatible with all versions of WebLogic Server. The users that download the patch are advised to save their previous plug-in, install the patch and then restart the web server.
Eric Maurice voiced his dissatisfaction with the practice of releasing proof-of-concept exploits before notifying the software developers about the vulnerabilities. "Unfortunately, the person(s) who published this vulnerability and associated exploit codes did not contact Oracle before publicly disclosing this issue," he noted.