Oracle Halts Denial Of Service Threat With Patches

Oracle has addressed a number of security flaws in Oracle Fusion Middleware and Sun Products Suite after quietly releasing patches.

The out-of-band patches addressed denial-of-service vulnerabilities that were present in several Oracle products, the company said in a security alert issued 31 January. A remote user would be able to exploit this vulnerability, CVE 2011-5035, and affect the system’s availability, according to Oracle.

Recommended Install

The affected products are Oracle Application Server 10g Release 3 version 10.1.3.5.0, Oracle WebLogic Server versions 9.2.4, 10.0.2, 11gR1, 12cR1, and Oracle iPlanet Web Server 7.0 and Oracle Java System Web Server 6.1. The Oracle Containers for J2EE component in the Application Server was patched.

“Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Security Alert fixes as soon as possible,” Oracle wrote in the security alert.

Security Alert patches are provided only for product versions currently being supported under Premier or Extended Support. Oracle does not test older versions, but said it was “likely” that the vulnerabilities are in those versions.

The same vulnerability in Oracle GlassFish server was patched as part of Oracle’s Critical Patch Update last month.

The denial-of-service vulnerability was publicised by a pair of researchers at the Chaos Communication Congress conference in Germany towards the end of December. The zero-day flaw was discovered in several major Web application frameworks, including Microsoft’s ASP.NET, Apache’s Tomcat and Geronimo, PHP 4, Python, Plone, JRuby and others. Microsoft released an out-of-band update shortly after the disclosure to patch ASP.NET, and Apache Software Foundation has already updated some versions of Tomcat.

An anonymous attacker could send a specially crafted HTTP request containing thousands of form values to create a hash table so large that the Web servers consumes all CPU resources trying to process it, resulting in a denial-of-service condition, according to researchers.

Critical Fixes

The “most straightforward fix” for this attack is to limit the number of variables that can be submitted in each request to a “reasonable number,” said Wolfgang Kandek, CTO of Qualys. Kandek pegged that number to something under 10,000 variables.

However, the hash function underlying the attacks in Java remain unpatched, according to Kandek. This is unfortunate, since a patch at the Java level would “address the vulnerability in a fundamental way” on all Web and application servers that use Java, Kandek said.

Since the flaw could be remotely exploitable without authentication, Oracle considered it critical. Even though CVE-2011-5035 has a Common Vulnerability Scoring System of 5, Oracle downplayed its severity in the Risk Matrix again, assigning a “Partial+” impact rating. According to Oracle, a vulnerability’s impact is only considered “Complete” if “all software running on the machine” is affected, not just the Oracle product.

If the issue impacts just Oracle products, the company rates it as “Partial+” to indicate it was more serious than other issues with just a “Partial” rating, but it still wasn’t as bad an issue as one that crashed the entire system.

The rating is a little curious, given that the flaw could cause a denial-of-service due to hashing collisions and cause the Web server to stop responding at all.

Fahmida Y Rashid eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved.

Recent Posts

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

13 hours ago

Former Policy Boss At X Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

16 hours ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

17 hours ago

FTX Co-Founder Gary Wang Spared Prison

Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…

18 hours ago