Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Oracle Issues Emergency Security Advisory

In a rare move, Oracle broke its normal procedures and issued an emergency patch due to concerns about the impact of a successful attack.

The fix addresses a denial-of-service vulnerability in Oracle’s Apache Web server software. According to Oracle, the issue affects multiple versions of Oracle Fusion Middleware 11g Release 1, Oracle Application Server 10g Release 3 and Oracle Application Server 10g Release 2.

In a rare move, Oracle broke its normal procedures and issued an emergency patch due to concerns about the impact of a successful attack.

The fix addresses a denial-of-service vulnerability in Oracle’s Apache Web server software. According to Oracle, the issue affects multiple versions of Oracle Fusion Middleware 11g Release 1, Oracle Application Server 10g Release 3 and Oracle Application Server 10g Release 2.

“This security alert addresses the security issue CVE-2011-3192, a denial of service vulnerability in Apache HTTPD, which is applicable to Oracle HTTP Server products based on Apache 2.0 or 2.2,” the company wrote in an advisory. “This vulnerability may be remotely exploitable without authentication, i.e. it may be exploited over a network without the need for a username and password. A remote user can exploit this vulnerability to impact the availability of un-patched systems.”

This is just the fifth time Oracle has released an out-of-band patch since starting its Patch Tuesday cycle in 2005, blogged Paul Ducklin, Sophos’ head of technology for Asia Pacific.

“The vulnerability, CVE-2011-3192, allowed even a single web client to trigger a huge number of simultaneous requests for large amounts of data,” he explained. “The flaw was exploited by sending a request for multiple parts of the same file at the same time.”’

The Apache Software Foundation has already issued two patches for the vulnerability. The first, version 2.2.20, was actually released at the end of August. It was followed by version 2.2.21, which was released recently. It is unclear from the Oracle advisory which of the patches Oracle used in its update. Information about version 2.2.21 however can be found here.

“However conservative you might be, if you’re an Oracle user, this patch is definitely recommended in a hurry,” Ducklin wrote. “The general unwillingness of Oracle to deviate from its once-every-three-months patch cycle spells one word, “Importance.””

Written By

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.