Unscheduled patch from Oracle
A critical vulnerability in the WebLogic Server Node Manager has forced Oracle to release an unscheduled update outside of its normal quarterly patch cycle. According to an alert issued by the vendor, the vulnerability can be remotely exploited by an unauthenticated user to compromise a system.
This is apparently more easily accomplished on Windows systems than on Unix – Oracle has assigned the vulnerability a risk score (CVSS) of 10 under Windows, but just 7.5 under Unix.
The following versions are affected:
- Oracle WebLogic Server 11gR1 (10.3.1 and 10.3.2)
- Oracle WebLogic Server 10gR3 10.3.0
- Oracle WebLogic Server 10.0 through MP2
- Oracle WebLogic Server 9.0, 9.1, 9.2 through MP3
- Oracle WebLogic Server 8.1 through SP6
- Oracle WebLogic Server 7.0 through SP7
Oracle is advising users to install the update as soon as possible. Oracle fixed a total of 24 vulnerabilities as recently as mid January, including multiple vulnerabilities in its WebLogic Server. A vulnerability in Oracle 11gR2 which allows unprivileged users to obtain system privileges was also discovered earlier this week and currently remains unpatched.
- Oracle Security Alert for CVE-2010-0073
- Oracle patches 24 holes
- Vulnerability in Oracle 11gR2 allows system privileges for all