In association with heise online

07 February 2010, 08:40

Unscheduled patch from Oracle

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

A critical vulnerability in the WebLogic Server Node Manager has forced Oracle to release an unscheduled update outside of its normal quarterly patch cycle. According to an alert issued by the vendor, the vulnerability can be remotely exploited by an unauthenticated user to compromise a system.

This is apparently more easily accomplished on Windows systems than on Unix – Oracle has assigned the vulnerability a risk score (CVSS) of 10 under Windows, but just 7.5 under Unix.

The following versions are affected:

  • Oracle WebLogic Server 11gR1 (10.3.1 and 10.3.2)
  • Oracle WebLogic Server 10gR3 10.3.0
  • Oracle WebLogic Server 10.0 through MP2
  • Oracle WebLogic Server 9.0, 9.1, 9.2 through MP3
  • Oracle WebLogic Server 8.1 through SP6
  • Oracle WebLogic Server 7.0 through SP7

Oracle is advising users to install the update as soon as possible. Oracle fixed a total of 24 vulnerabilities as recently as mid January, including multiple vulnerabilities in its WebLogic Server. A vulnerability in Oracle 11gR2 which allows unprivileged users to obtain system privileges was also discovered earlier this week and currently remains unpatched.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit