[ISN] Oracle issues emergency security patch for WebLogic

From: InfoSec News <alerts_at_private>
Date: Tue, 9 Feb 2010 00:22:40 -0600 (CST)
http://www.theregister.co.uk/2010/02/08/oracle_weblogic_update/

By Dan Goodin
The Register
8th February 2010

Oracle issued an emergency patch for its WebLogic Server almost two 
weeks after a white-hat hacker disclosed a vulnerability that allows 
criminals to remotely execute commands on the webserver with no 
authentication necessary.

The vulnerability in the Node Manager component of Oracle WebLogic 
Server can be exploited by carrying out commands over a network without 
requiring a username and password, Oracle warned late last week. The 
company went through the unusual step of issuing a patch outside its 
normal update cycle.

The out-of-band release came 12 days after Evgeny Legerov, CEO of 
Russian security firm Intevydis, disclosed a WebLogic vulnerability that 
sounded almost identical to the one described in the Oracle advisory. 
Legerov recently blogged his intention to do away with so-called 
"responsible disclosure" practices, in which researchers privately 
notify software makers about bugs in their products to prevent criminals 
from exploiting the defects before they're fixed.

Intevydis was dispensing with the practice "because it is enforced by 
vendors and it allows vendors to exploit security researches to do QA 
work for free," he wrote.

[...]


________________________________________ 
Did a friend send you this? From now on, be the 
first to find out! Subscribe to InfoSec News 
http://www.infosecnews.org
Received on Mon Feb 08 2010 - 22:22:40 PST

This archive was generated by hypermail 2.2.0 : Mon Feb 08 2010 - 22:45:31 PST