[ISN] Oracle issues zero-day security alert

From: InfoSec News <alerts_at_private>
Date: Fri, 1 Aug 2008 04:06:00 -0500 (CDT)

By Shaun Nichols in San Francisco
31 Jul 2008

Oracle has posted an alert [1] for a serious flaw in its WebLogic Server 
and Express products.

The issue lies within the Apache Connector component used by both 
systems, and attack code is publicly available.

Oracle warned that the attack could be remotely exploited by an attacker 
without the need for any authentication information, and could give 
control over the targeted system.

The company has not yet issued a patch, but has provided a set of 
workarounds to help administrators mitigate the risk. It is currently 
working on a patch.

The warning comes just two weeks after Oracle issued a major security 
update [2] which patched 45 vulnerabilities in 23 of its products.

Security firm Sans and the US Computer Emergency Response Team recommend 
that administrators read Oracle's advisory and take the suggested 

[1] https://support.bea.com/application_content/product_portlets/securityadvisories/2793.html 
[2] http://www.vnunet.com/vnunet/news/2221868/oracle-issues-security-updates

Attend Black Hat USA, August 2-7 in Las Vegas, 
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings 
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.  
Visit product displays by 30 top sponsors in 
a relaxed setting. http://www.blackhat.com
Received on Fri Aug 01 2008 - 02:06:00 PDT

This archive was generated by hypermail 2.2.0 : Fri Aug 01 2008 - 02:16:26 PDT