http://www.theregister.co.uk/2010/02/08/oracle_weblogic_update/ By Dan Goodin The Register 8th February 2010 Oracle issued an emergency patch for its WebLogic Server almost two weeks after a white-hat hacker disclosed a vulnerability that allows criminals to remotely execute commands on the webserver with no authentication necessary. The vulnerability in the Node Manager component of Oracle WebLogic Server can be exploited by carrying out commands over a network without requiring a username and password, Oracle warned late last week. The company went through the unusual step of issuing a patch outside its normal update cycle. The out-of-band release came 12 days after Evgeny Legerov, CEO of Russian security firm Intevydis, disclosed a WebLogic vulnerability that sounded almost identical to the one described in the Oracle advisory. Legerov recently blogged his intention to do away with so-called "responsible disclosure" practices, in which researchers privately notify software makers about bugs in their products to prevent criminals from exploiting the defects before they're fixed. Intevydis was dispensing with the practice "because it is enforced by vendors and it allows vendors to exploit security researches to do QA work for free," he wrote. [...] ________________________________________ Did a friend send you this? From now on, be the first to find out! Subscribe to InfoSec News http://www.infosecnews.orgReceived on Mon Feb 08 2010 - 22:22:40 PST
This archive was generated by hypermail 2.2.0 : Mon Feb 08 2010 - 22:45:31 PST