Oracle just released an emergency patch that is designed to fix a vulnerability that, according to the company, could bring down HTTP application servers sold by Oracle, ones that are also based on Apache 2.0 or 2.2.
According to a statement released by Oracle, hackers have the ability to exploit weaknesses remotely without the need of a username or password for entry. There are multiple products that are affected by the bug, including Oracle Fusion Middleware 11g Release 1, versions 11.1.1.3.0, 11.1.1.4.0 and 11.1.1.5.0; Oracle Application Server 10g Release 3, version 10.1.1.5.0 and Oracle Application Server 10g Release 2, version 10.1.2.3.0.
The United States Government's National Vulnerability Database has already assigned a Common Vulnerability Scoring System (CVSS) rating of 7.8 to the bug, indicating a "complete Operating System denial of service (dos)", according to the company. However, Oracle did take issue with the assessment in its security alert.
According to the company, "A complete Operating System denial of service is not possible on any platform supported by Oracle, and as a result, Oracle has given the vulnerability a CVSS Base Score of 5.0 indicating a complete denial of service of the Oracle HTTP Server but not the Operating System."
Regardless of how you score it, the bug was, evidently, serious enough for Oracle to release a patch for it outside of the company's usual large quarterly update schedule, the next of which is poised to take place on October 18, 2011.
The hack at Oracle is just the latest in a series of hacks against large corporations, government websites and other companies from multiple hacker groups that like to be known as "hacktivists". These attacks have gotten so bad, actually, that the government has started an all out campaign against these hackers in an attempt to stop them before they cause any extremely serious damage.
Source: PC World - Oracle: Security Flaw Could Bring Down App Servers
According to a statement released by Oracle, hackers have the ability to exploit weaknesses remotely without the need of a username or password for entry. There are multiple products that are affected by the bug, including Oracle Fusion Middleware 11g Release 1, versions 11.1.1.3.0, 11.1.1.4.0 and 11.1.1.5.0; Oracle Application Server 10g Release 3, version 10.1.1.5.0 and Oracle Application Server 10g Release 2, version 10.1.2.3.0.
The United States Government's National Vulnerability Database has already assigned a Common Vulnerability Scoring System (CVSS) rating of 7.8 to the bug, indicating a "complete Operating System denial of service (dos)", according to the company. However, Oracle did take issue with the assessment in its security alert.
According to the company, "A complete Operating System denial of service is not possible on any platform supported by Oracle, and as a result, Oracle has given the vulnerability a CVSS Base Score of 5.0 indicating a complete denial of service of the Oracle HTTP Server but not the Operating System."
Regardless of how you score it, the bug was, evidently, serious enough for Oracle to release a patch for it outside of the company's usual large quarterly update schedule, the next of which is poised to take place on October 18, 2011.
The hack at Oracle is just the latest in a series of hacks against large corporations, government websites and other companies from multiple hacker groups that like to be known as "hacktivists". These attacks have gotten so bad, actually, that the government has started an all out campaign against these hackers in an attempt to stop them before they cause any extremely serious damage.
Source: PC World - Oracle: Security Flaw Could Bring Down App Servers
No comments:
Post a Comment