Last Updated: 2008-07-30 16:45:14 UTC
by David Goldsmith (Version: 3)
Oracle has released an emergency workaround that corrects a 0-day flaw in WebLogic Server and WebLogic Express, specifically with the Apache Connector, which is remotely exploitable without authentication.
Oracle's security advisory can be found here. The security advisory points to this document which contains recommendations for two workarounds that you should implement to help mitigate the vulnerability until Oracle can release a patch.
More information about the issue can be found at the ZDnet blog post.
Thanks to Frank for the original heads-up.
Update: Changed diary to reflect that only a work-around has been released and not a patch. Received 3 lashes with a Cat5 cable from Jason, Jim and Richard. ;-)