Oracle has addressed a number of security flaws in Oracle Fusion Middleware and Sun Products Suite after quietly releasing patches.
The out-of-band patches addressed denial-of-service vulnerabilities that were present in several Oracle products, the company said in a security alert issued 31 January. A remote user would be able to exploit this vulnerability, CVE 2011-5035, and affect the system’s availability, according to Oracle.
The affected products are Oracle Application Server 10g Release 3 version 10.1.3.5.0, Oracle WebLogic Server versions 9.2.4, 10.0.2, 11gR1, 12cR1, and Oracle iPlanet Web Server 7.0 and Oracle Java System Web Server 6.1. The Oracle Containers for J2EE component in the Application Server was patched.
“Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Security Alert fixes as soon as possible,” Oracle wrote in the security alert.
The same vulnerability in Oracle GlassFish server was patched as part of Oracle’s Critical Patch Update last month.
The denial-of-service vulnerability was publicised by a pair of researchers at the Chaos Communication Congress conference in Germany towards the end of December. The zero-day flaw was discovered in several major Web application frameworks, including Microsoft’s ASP.NET, Apache’s Tomcat and Geronimo, PHP 4, Python, Plone, JRuby and others. Microsoft released an out-of-band update shortly after the disclosure to patch ASP.NET, and Apache Software Foundation has already updated some versions of Tomcat.
An anonymous attacker could send a specially crafted HTTP request containing thousands of form values to create a hash table so large that the Web servers consumes all CPU resources trying to process it, resulting in a denial-of-service condition, according to researchers.
The “most straightforward fix” for this attack is to limit the number of variables that can be submitted in each request to a “reasonable number,” said Wolfgang Kandek, CTO of Qualys. Kandek pegged that number to something under 10,000 variables.
However, the hash function underlying the attacks in Java remain unpatched, according to Kandek. This is unfortunate, since a patch at the Java level would “address the vulnerability in a fundamental way” on all Web and application servers that use Java, Kandek said.
Since the flaw could be remotely exploitable without authentication, Oracle considered it critical. Even though CVE-2011-5035 has a Common Vulnerability Scoring System of 5, Oracle downplayed its severity in the Risk Matrix again, assigning a “Partial+” impact rating. According to Oracle, a vulnerability’s impact is only considered “Complete” if “all software running on the machine” is affected, not just the Oracle product.
If the issue impacts just Oracle products, the company rates it as “Partial+” to indicate it was more serious than other issues with just a “Partial” rating, but it still wasn’t as bad an issue as one that crashed the entire system.
The rating is a little curious, given that the flaw could cause a denial-of-service due to hashing collisions and cause the Web server to stop responding at all.
Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector
Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…
Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…
Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…
Explore the future of work with the Silicon In Focus Podcast. Discover how AI is…
Executive hits out at the DoJ's “staggering proposal” to force Google to sell off its…