Oracle Exploit

Oracle has released a patch out of cycle in response to an exploit going public yesterday. The flaw allows remote code execution without being authenticated in WebLogic Server and WebLogic Express. Every version of WebLogic from version 6.1 to 10 are vulnerable. This is a critical vulnerability and the patch needs to be rolled out immediately. If for some reason that is not possible, Oracle believes there are two workarounds. The first is using the Apache LimitRequestLine Parameter, or you man also use the Apache mod_security module. Full details of the vulnerability and the workarounds are available here.


Leave a Reply