Your one-stop web resource providing safety and security information to manufacturers

An emergency patch is out from Oracle to fix a vulnerability that could bring down Apache 2.0 or 2.2-based HTTP application servers it sells.

Attackers can exploit the weakness remotely without a username or password, Oracle said in its security alert.

Cisco Patches Critical Vulnerabilities
Antivirus Protection for SCADA Security
More SCADA Vulnerabilities Hit Industry
Holes Found in Siemens WinCC

Products hit by the bug include Oracle Fusion Middleware 11g Release 1, versions, and; Oracle Application Server 10g Release 3, version; and Oracle Application Server 10g Release 2, version

The U.S. Government’s National Vulnerability Database has assigned a CVSS (Common Vulnerability Scoring System) rating of 7.8, “indicating a complete Operating System denial of service,” Oracle said.

Schneider Bold

But Oracle took issue with that assessment in its security alert.

“A complete operating system denial of service is not possible on any platform supported by Oracle, and as a result, Oracle has given the vulnerability a CVSS Base Score of 5.0 indicating a complete denial of service of the Oracle HTTP Server but not the operating system,” it said.

Either way the bug is serious enough for Oracle to issue the patch outside of its usual large quarterly updates.

Pin It on Pinterest

Share This