News

Oracle issues out-of-band Apache update

Hillary O'Rourke, Contributor

Oracle Corp. has issued an out-of-band security alert addressing a denial-of-service vulnerability in the open source Apache Web server that could affect some of its server components. The update, released

    Requires Free Membership to View

Sept. 15, affects Oracle Fusion Middleware and Application Server products.

The vulnerability could be exploited remotely without authentication and could enable an attacker to crash a system over a network without account credentials.

To exploit the flaw, an attacker can ask for multiple overlapping parts of a large file in a single request. The vulnerability allows attackers to mount an Apache DDoS attack without having masses of computing firepower at their disposal, according to Sophos Security Consultant Paul Ducklin.

“This is only the fifth time Oracle has issued an alert outside its routine quarterly patch cycle since introducing its own version of Patch Tuesday at the start of 2005,” Ducklin wrote in Sophos’ Naked Security blog.

The vulnerability was discovered to be fairly easily exploitable by abusing a feature in Web servers that allows users to restart, pause and resume interrupted downloads or to permit large files to be overlapped as smaller files and stitched together later.

This is the second official patch for the DDoS vulnerability, CVE-2011-3192. The Apache Software Foundation issued at critical update at the end of August when the company announced they had released version 2.2.20 of the Apache HTTP Server to fix the flaw. Oracle quickly produced that patch after identifying it in the wild a week before.

In its security advisory, Oracle warns, “Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Security Alert fixes as soon as possible.”


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: