A patch for a denial-of-service vulnerability in the Oracle WebLogic Server, Application Server, and iPlanet Web Server due to hash collisions is now ready to go.
Oracle warned in a security advisory the vulnerability might be “remotely exploitable without authentication,” which means an attacker could exploit it over a network without the need for username or password. Hash collisions occur when two distinct pieces of data have the same hash value.
The company said a fix for the same vulnerability in the GlassFish Server released in its quarterly patch update last month. In that update, Oracle shipped 78 patches across the full range of its products, including two fixes to its Database Server.
Oracle has come under fire for its Database patching process. Following the January patch update, Alex Rothacker with TeamSHATTER and Amichai Shulman, chief technology officer with Imperva, criticized the company for only patching two Database vulnerabilities.
In late January, Oracle also offered a patch for a bug in OpenSSL introduced in an earlier fix of other issues.
OpenSSL developers released versions 1.0.0g and 0.9.8t to address a denial of service issue (DoS) introduced by one of the six fixes included in the version released earlier this month.
The problem came from the fix for a critical vulnerability in the CBC (“Cipher block chaining”) encryption mode which enabled plaintext recovery of OpenSSL’s implementation of DTLS (Datagram TLS).
The advisory said the DoS flaw only affected users using DTLS applications that use OpenSSL 1.0.0f and 0.9.8s.
Earlier in January, a new version of the OpenSSL package fixed six vulnerabilities, including a plaintext recovery attack on the DTLS implementation.
There were two other cryptographic flaws fixed in OpenSSL 1.0.0f, and a few other less-serious problems.
The most problematic of the vulnerabilities fixed in the new version is the one that enables the plaintext recovery attack, discovered by a pair of security researchers who found a way to extend the CBC padding oracle attack. The attack enables someone to exploit the problem with OpenSSL’s DTLS implementation to recover the plaintext version of an encrypted message.