Oracle Warns Of Major WebLogic Vulnerability


Oracle is warning customers that an exploit is circulating for a vulnerability in its WebLogic Server that remote attackers without authentication can use to access confidential data and cause denial of service.

In an advisory issued earlier this week, Oracle said an exploit has begun circulating that affects WebLogic Server applications that use versions of the WebLogic plug-in for Apache server released before July 28.

Oracle has yet to release a patch for the affected plug-in, but offered two workarounds that it says will protect users while it works on a fix.

One workaround involves configuring Apache server to reject certain invalid requests, which limits the maximum URL length to less than 4,000 bytes. Oracle notes that users can also protect themselves by downloading and installing the open source Web application firewall from ModSecurity.

Oracle assigned the vulnerability a CVSS severity score of 10 out of 10, as did the National Vulnerability Database. Danish security research firm Secunia gave it a 'highly critical' rating, or 4 on its 5 point severity scale.

Oracle picked up the widely used WebLogic application server in its $6.7 billion acquisition of BEA Systems, which closed in April. Earlier this month, Oracle said that WebLogic will become Oracle's flagship application server offering, but it will continue to develop its own application server.