Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: InfoSec Handlers Diary Blog - Serious 0-Day Flaw in Oracle WebLogic Server and WebLogic Express -- Workaround Released InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Serious 0-Day Flaw in Oracle WebLogic Server and WebLogic Express -- Workaround Released

Published: 2008-07-30
Last Updated: 2008-07-30 16:45:14 UTC
by David Goldsmith (Version: 3)
0 comment(s)

Oracle has released an emergency workaround that corrects a 0-day flaw in WebLogic Server and WebLogic Express, specifically with the Apache Connector, which is remotely exploitable without authentication.

Oracle's security advisory can be found here.  The security advisory points to this document which contains recommendations for two  workarounds that you should implement to help mitigate the vulnerability until Oracle can release a patch.

More information about the issue can be found at the ZDnet blog post.

Thanks to Frank for the original heads-up.

 

Update: Changed diary to reflect that only a work-around has been released and not a patch.  Received 3 lashes with a Cat5 cable from Jason, Jim and Richard.  ;-)

David Goldsmith

0 comment(s)
Diary Archives