Oracle Halts Denial Of Service Threat With Patches

Oracle has issued patches to close down a vulnerability that could cause a denial of service in some products

Oracle has addressed a number of security flaws in Oracle Fusion Middleware and Sun Products Suite after quietly releasing patches.

The out-of-band patches addressed denial-of-service vulnerabilities that were present in several Oracle products, the company said in a security alert issued 31 January. A remote user would be able to exploit this vulnerability, CVE 2011-5035, and affect the system’s availability, according to Oracle.

Recommended Install

The affected products are Oracle Application Server 10g Release 3 version 10.1.3.5.0, Oracle WebLogic Server versions 9.2.4, 10.0.2, 11gR1, 12cR1, and Oracle iPlanet Web Server 7.0 and Oracle Java System Web Server 6.1. The Oracle Containers for J2EE component in the Application Server was patched.

“Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Security Alert fixes as soon as possible,” Oracle wrote in the security alert.

Security Alert patches are provided only for product versions currently being supported under Premier or Extended Support. Oracle does not test older versions, but said it was “likely” that the vulnerabilities are in those versions.

The same vulnerability in Oracle GlassFish server was patched as part of Oracle’s Critical Patch Update last month.

The denial-of-service vulnerability was publicised by a pair of researchers at the Chaos Communication Congress conference in Germany towards the end of December. The zero-day flaw was discovered in several major Web application frameworks, including Microsoft’s ASP.NET, Apache’s Tomcat and Geronimo, PHP 4, Python, Plone, JRuby and others. Microsoft released an out-of-band update shortly after the disclosure to patch ASP.NET, and Apache Software Foundation has already updated some versions of Tomcat.

An anonymous attacker could send a specially crafted HTTP request containing thousands of form values to create a hash table so large that the Web servers consumes all CPU resources trying to process it, resulting in a denial-of-service condition, according to researchers.

Critical Fixes

The “most straightforward fix” for this attack is to limit the number of variables that can be submitted in each request to a “reasonable number,” said Wolfgang Kandek, CTO of Qualys. Kandek pegged that number to something under 10,000 variables.

However, the hash function underlying the attacks in Java remain unpatched, according to Kandek. This is unfortunate, since a patch at the Java level would “address the vulnerability in a fundamental way” on all Web and application servers that use Java, Kandek said.

Since the flaw could be remotely exploitable without authentication, Oracle considered it critical. Even though CVE-2011-5035 has a Common Vulnerability Scoring System of 5, Oracle downplayed its severity in the Risk Matrix again, assigning a “Partial+” impact rating. According to Oracle, a vulnerability’s impact is only considered “Complete” if “all software running on the machine” is affected, not just the Oracle product.

If the issue impacts just Oracle products, the company rates it as “Partial+” to indicate it was more serious than other issues with just a “Partial” rating, but it still wasn’t as bad an issue as one that crashed the entire system.

The rating is a little curious, given that the flaw could cause a denial-of-service due to hashing collisions and cause the Web server to stop responding at all.