Oracle Issues Emergency Security Advisory

In a rare move, Oracle broke its normal procedures and issued an emergency patch due to concerns about the impact of a successful attack.

The fix addresses a denial-of-service vulnerability in Oracle’s Apache Web server software. According to Oracle, the issue affects multiple versions of Oracle Fusion Middleware 11g Release 1, Oracle Application Server 10g Release 3 and Oracle Application Server 10g Release 2.

“This security alert addresses the security issue CVE-2011-3192, a denial of service vulnerability in Apache HTTPD, which is applicable to Oracle HTTP Server products based on Apache 2.0 or 2.2,” the company wrote in an advisory. “This vulnerability may be remotely exploitable without authentication, i.e. it may be exploited over a network without the need for a username and password. A remote user can exploit this vulnerability to impact the availability of un-patched systems.”

This is just the fifth time Oracle has released an out-of-band patch since starting its Patch Tuesday cycle in 2005, blogged Paul Ducklin, Sophos’ head of technology for Asia Pacific.

“The vulnerability, CVE-2011-3192, allowed even a single web client to trigger a huge number of simultaneous requests for large amounts of data,” he explained. “The flaw was exploited by sending a request for multiple parts of the same file at the same time.”’

The Apache Software Foundation has already issued two patches for the vulnerability. The first, version 2.2.20, was actually released at the end of August. It was followed by version 2.2.21, which was released recently. It is unclear from the Oracle advisory which of the patches Oracle used in its update. Information about version 2.2.21 however can be found here.

“However conservative you might be, if you’re an Oracle user, this patch is definitely recommended in a hurry,” Ducklin wrote. “The general unwillingness of Oracle to deviate from its once-every-three-months patch cycle spells one word, “Importance.””