recent security alert, Oracle Corporation advised potentially
affected customers to patch their software against vulnerabilities
that can result in effective denial-of-service attacks against web
servers. The security alert is identified as CVE-2011-3192.
According to the Oracle, the affected systems include the
- Oracle Fusion Middleware 11g Release 1, versions:
- Oracle Application Server 10g Release 3, version 10.1.3.5.0
- Oracle Application Server 10g Release 2, version 10.1.2.3.0
The latter two are only considered affected when Oracle HTTP
Server 10g based on Apache 2.0 has been installed from Application
Server Companion CD.
The notice further states that the Oracle Enterprise Manager
includes the referenced Oracle Fusion Middleware component that is
subject to vulnerability but only if one of the above listed
affected versions is in use. Clients with OEM installed are
urged to check their Oracle Fusion Middleware versions and patch
their installations accordingly.
The Threat is Real
The denial of service vulnerability is in the Apache HTTPD
applicable to Oracle HTTP Server products based on Apache versions
2.0 or 2.2. The nature of the vulnerability is simple yet
ominous. This particular vulnerability may be exploited by a
remote user without the need for a username and password.
Further, there is at least one attack tool out that exploits this
vulnerability. The existence of "Apache Killer" has been
suspected since at least August. The potential success of an
attack by this or similar means was sufficient to get Oracle moving
on a patch.
In addition, Apache Foundation has released Apache HTTP Server
2.2.20 and 2.2.21 to address the flaws in Apache. It is currently
unclear as to whether Oracle has implemented the fixes in Apache
HTTP Server 2.2.21 in its own product updates.
How it Works
This vulnerability allows a hacker to mount a denial-of-service
attack on the Oracle HTTP server. It appears that the
operating system is not affected; however, a modest number of
simultaneous web client requests for overlapping data can quickly
overload the server. This type of attack is fairly simple to
launch even without an aggressive tool like "Apache Killer".
Oracle Issues Out-of-Cycle Patch
The threat posed by this vulernability was sufficently
serious to move Oracle to release the patch on an out-of-cycle
schedule. The next scheduled Critical Patch Update is due on
October 18, 2015; however, affected and potentially affected Oracle
users are urged to deploy the patch as soon as possible.
Out-of-cycle patches from Oracle are not a common occurence, and the
sense of urgency inferred from this off-cycle release should filter
down to the customer base.
Get the Complete
Oracle SQL Tuning Information
The landmark book
SQL Tuning The Definitive Reference" is
filled with valuable information on Oracle SQL Tuning.
This book includes scripts and tools to hypercharge Oracle 11g
performance and you can
for 30% off directly from the publisher.