Oracle Corp. has issued an out-of-band security alert addressing a denial-of-service vulnerability in the open source Apache Web server that could affect some of its server components. The update, released Sept. 15, affects Oracle Fusion Middleware and Application Server products.
The vulnerability could be exploited remotely without authentication and could enable an attacker to crash a system over a network without account credentials.
To exploit the flaw, an attacker can ask for multiple overlapping parts of a large file in a single request. The vulnerability allows attackers to mount an Apache DDoS attack without having masses of computing firepower at their disposal, according to Sophos Security Consultant Paul Ducklin.
“This is only the fifth time Oracle has issued an alert outside its routine quarterly patch cycle since introducing its own version of Patch Tuesday at the start of 2005,” Ducklin wrote in Sophos’ Naked Security blog.
The vulnerability was discovered to be fairly easily exploitable by abusing a feature in Web servers that allows users to restart, pause and resume interrupted downloads or to permit large files to be overlapped as smaller files and stitched together later.
This is the second official patch for the DDoS vulnerability, CVE-2011-3192. The Apache Software Foundation issued at critical update at the end of August when the company announced they had released version 2.2.20 of the Apache HTTP Server to fix the flaw. Oracle quickly produced that patch after identifying it in the wild a week before.
In its security advisory, Oracle warns, “Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Security Alert fixes as soon as possible.”