Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Oracle Issues Emergency Security Advisory

In a rare move, Oracle broke its normal procedures and issued an emergency patch due to concerns about the impact of a successful attack.

The fix addresses a denial-of-service vulnerability in Oracle’s Apache Web server software. According to Oracle, the issue affects multiple versions of Oracle Fusion Middleware 11g Release 1, Oracle Application Server 10g Release 3 and Oracle Application Server 10g Release 2.

In a rare move, Oracle broke its normal procedures and issued an emergency patch due to concerns about the impact of a successful attack.

The fix addresses a denial-of-service vulnerability in Oracle’s Apache Web server software. According to Oracle, the issue affects multiple versions of Oracle Fusion Middleware 11g Release 1, Oracle Application Server 10g Release 3 and Oracle Application Server 10g Release 2.

“This security alert addresses the security issue CVE-2011-3192, a denial of service vulnerability in Apache HTTPD, which is applicable to Oracle HTTP Server products based on Apache 2.0 or 2.2,” the company wrote in an advisory. “This vulnerability may be remotely exploitable without authentication, i.e. it may be exploited over a network without the need for a username and password. A remote user can exploit this vulnerability to impact the availability of un-patched systems.”

This is just the fifth time Oracle has released an out-of-band patch since starting its Patch Tuesday cycle in 2005, blogged Paul Ducklin, Sophos’ head of technology for Asia Pacific.

“The vulnerability, CVE-2011-3192, allowed even a single web client to trigger a huge number of simultaneous requests for large amounts of data,” he explained. “The flaw was exploited by sending a request for multiple parts of the same file at the same time.”’

The Apache Software Foundation has already issued two patches for the vulnerability. The first, version 2.2.20, was actually released at the end of August. It was followed by version 2.2.21, which was released recently. It is unclear from the Oracle advisory which of the patches Oracle used in its update. Information about version 2.2.21 however can be found here.

“However conservative you might be, if you’re an Oracle user, this patch is definitely recommended in a hurry,” Ducklin wrote. “The general unwillingness of Oracle to deviate from its once-every-three-months patch cycle spells one word, “Importance.””

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.