Homepage tabWindows tabGames tabDrivers tabMac tabLinux tabScripts buttonMobile tabHandheld tabGadgets tabNews tab


NEWS CATEGORIES:



NEWS ARCHIVE >>
SOFTPEDIA REVIEWS >>
MEET THE EDITORS >>
Home / News / Security / Security Fixes and Improvements

Security Fixes and Improvements

Oracle Releases Out of Cycle Patch for Critical Vulnerability

Users are urged to apply this patch instead of the previously recommended workaround

By Lucian Constantin, Web News Editor

6th of August 2008, 15:49 GMT

Adjust text size:


Oracle releases out of cycle security patch
Enlarge picture
Oracle has officially released the patch for the security vulnerability in Apache plug-in for Oracle WebLogic that had been previously announced at the end of July.

On July 28, Oracle was forced to release a security advisory due to a newly discovered vulnerability in the Apache plug-in for Oracle WebLogic. This vulnerability, known as CVE-2008-3257, was rated with a 10.0 (High) on the CVSS (Common Vulnerability Scoring System) scale, because of the fact that no authentication was required in order to remotely exploit it and it affected "the confidentiality, integrity and availability of the targeted system."

The company was taken by surprise because someone released the exploit for this vulnerability without contacting it first. For this reason, it did not have the time to come up with an immediate fix and had to release a temporary workaround. "We expect this fix to be ready very soon, and we will issue an updated Security Alert to let customers know about its availability. In the meanwhile, we recommend that all customers implement the recommended workaround," Eric Maurice from Oracle said at that time.

This was the first time in three years that Oracle had to release a patch out of its regular patch cycle. The previous security advisory was updated to include the download link to the patch, mentioning that it "supersedes the previous version that provided only workarounds for this vulnerability."

This vulnerability affects the WebLogic Server and WebLogic Express products up to version 10.0, while the newly released 10.3 version is not affected because it includes this patch, which is also compatible with all versions of WebLogic Server. The users that download the patch are advised to save their previous plug-in, install the patch and then restart the web server.

Eric Maurice voiced his dissatisfaction with the practice of releasing proof-of-concept exploits before notifying the software developers about the vulnerabilities. "Unfortunately, the person(s) who published this vulnerability and associated exploit codes did not contact Oracle before publicly disclosing this issue," he noted.

TAGS:

 WebLogic | Vulnerability | Patch | CVE-2008-3257 | Oracle
Read by 787 user(s) | Add comment | Link to this article TWEET THIS


Article rating:
NOT RATED 0 vote(s)    

Subscribe to news | Print article | Send to friend

© Copyright 2001-2009 Softpedia
Contact:

 

 

SEARCH THE NEWS ARCHIVE :




Today's News | Yesterday's News | News Archive


MORE RELATED ARTICLES:


Oracle Issues Workaround for Publicly Disclosed Vulnerability

Public Vulnerability Disclosure Aids Attackers

Oracle and Nokia Bring New, Improved Mobile Interoperability

Insight into the New Microsoft Vulnerability Exploitability Index

User opinions:

No user comments yet.
Be the first to express your opinion using the form below!

Share your opinion:

Your Name:
Your Email Address:
(will not be used for commercial purposes)
Solve this to prove you're not a bot: =
Your review/opinion:

 




Windows tabGames tabDrivers tabMac tabLinux tabScripts tabMobile tabHandheld tabGadgets tabNews tab

SUBMIT PROGRAM   |   ADVERTISE   |   GET HELP   |   SEND US FEEDBACK   |   RSS FEEDS   |   ENTER NEWS SITE   |   ENGLISH BOARD   |   ROMANIAN FORUM
© 2001 - 2009 Softpedia. All rights reserved.
Softpedia® and the Softpedia® logo are registered trademarks of SoftNews NET SRL.		 Copyright Information | Privacy Policy | Terms of Use | Update your software | Archive