Oracle has had an interesting record for the past three and a half years when it comes to security. Since January 2005, Oracle has not had to release an out-of-cycle security alert for its products.
That record ended this week with the public report of a serious vulnerability in Oracle’s BEA WebLogic Web server, which rates a 10 on the Common Vulnerability Scoring System (CVSS) scale.
The vulnerability could be remotely exploited by an attacker without authentication and could leave a WebLogic server at the mercy of a hacker.
“Unfortunately, the person(s) who published this vulnerability and associated exploit codes did not contact Oracle before publicly disclosing this issue,” Eric Maurice, manager for security in Oracle’s global technology business unit, noted in a blog post. “This means that the vulnerability was made public before providing Oracle an opportunity to develop an appropriate fix for this issue and notify its customers.”
The out-of-cycle alert comes barely two weeks after Oracle’s July critical patch update, or CPU, which is a quarterly release for security updates to Oracle products. The July CPU was also the first one that included the BEA WebLogic server since Oracle
acquired BEA earlier this year.
Ryan Barnett, director of application security at Breach, a software vendor in this market, noted that though the alert is an out-of-cycle patch for Oracle, it’s not uncommon for BEA and not necessarily more severe.
“I would not attribute the timing of this alert to mean that it is any more severe than other high alerts issued by Oracle,” Barnett told InternetNews.com. “Keep in mind that Oracle acquired BEA back in January of this year,” he explained. “As you might expect, it often takes some time for organizations that have merged to iron out all of their processes, and in some cases they remain somewhat autonomous.”
Barnett argued that while Oracle aims to release only four CPUs a year, it appears that the BEA division is on its own advisory patch alert cycle for its products. As evidence, Barnett pointed to BEA’s alert repository, which already shows 30 alerts released for 2008.
An Oracle spokesperson was not immediately available for comment.
The new flaw affects all BEA WebLogic application servers that use the WebLogic plug-in for Apache. Apache Web servers are commonly deployed alongside WebLogic. In its security advisory Oracle noted that Apache servers already configured with the mod_security module are protected from this vulnerability by the default core rule set.
“This specific attack vector attempts to inject a large amount of data into the HTTP Protocol version portion of a Web request,” Barnett noted. “This can be immediately, accurately and effectively identified and blocked using the open source ModSecurity Web application firewall Apache module.”
Barnett explained that ModSecurity can be directly compiled into a WebLogic server as well.” “It’s important to note that Oracle/BEA recommended ModSecurity as a workaround due to the fact that they do not have a currently patch available and proof of concept code has been published on the Internet.”