In a
recent security alert, Oracle Corporation advised potentially
affected customers to patch their software against vulnerabilities
that can result in effective denial-of-service attacks against web
servers. The security alert is identified as CVE-2011-3192.
According to the Oracle, the affected systems include the
following:
- Oracle Fusion Middleware 11g Release 1, versions:
- 11.1.1.3.0
- 11.1.1.4.0
- 11.1.1.5.0
- Oracle Application Server 10g Release 3, version 10.1.3.5.0
- Oracle Application Server 10g Release 2, version 10.1.2.3.0
The latter two are only considered affected when Oracle HTTP
Server 10g based on Apache 2.0 has been installed from Application
Server Companion CD.
The notice further states that the Oracle Enterprise Manager
includes the referenced Oracle Fusion Middleware component that is
subject to vulnerability but only if one of the above listed
affected versions is in use. Clients with OEM installed are
urged to check their Oracle Fusion Middleware versions and patch
their installations accordingly.
The Threat is Real
The denial of service vulnerability is in the Apache HTTPD
applicable to Oracle HTTP Server products based on Apache versions
2.0 or 2.2. The nature of the vulnerability is simple yet
ominous. This particular vulnerability may be exploited by a
remote user without the need for a username and password.
Further, there is at least one attack tool out that exploits this
vulnerability. The existence of "Apache Killer" has been
suspected since at least August. The potential success of an
attack by this or similar means was sufficient to get Oracle moving
on a patch.
In addition, Apache Foundation has released Apache HTTP Server
2.2.20 and 2.2.21 to address the flaws in Apache. It is currently
unclear as to whether Oracle has implemented the fixes in Apache
HTTP Server 2.2.21 in its own product updates.
How it Works
This vulnerability allows a hacker to mount a denial-of-service
attack on the Oracle HTTP server. It appears that the
operating system is not affected; however, a modest number of
simultaneous web client requests for overlapping data can quickly
overload the server. This type of attack is fairly simple to
launch even without an aggressive tool like "Apache Killer".
Oracle Issues Out-of-Cycle Patch
The threat posed by this vulernability was sufficently
serious to move Oracle to release the patch on an out-of-cycle
schedule. The next scheduled Critical Patch Update is due on
October 18, 2011; however, affected and potentially affected Oracle
users are urged to deploy the patch as soon as possible.
Out-of-cycle patches from Oracle are not a common occurence, and the
sense of urgency inferred from this off-cycle release should filter
down to the customer base.
|
|
 |
|
Guarantee your Success!
Oracle is the
world's most complex, robust and flexible database, considered
impossible to master without a mentor.
That's why all BC
Oracle trainers are working professionals, experts in Oracle who
share their tips and secrets. |
|
| |
|
Burleson is the American Team
Note:
This Oracle
documentation was created as a support and Oracle training reference for use by our
DBA performance tuning consulting professionals.
Feel free to ask questions on our
Oracle forum.
Verify
experience!
Anyone
considering using the services of an Oracle support expert should
independently investigate their credentials and experience, and not rely on
advertisements and self-proclaimed expertise. All legitimate Oracle experts
publish
their Oracle
qualifications.
Errata?
Oracle technology is changing and we
strive to update our BC Oracle support information. If you find an error
or have a suggestion for improving our content, we would appreciate your
feedback. Just
e-mail:
 and include the URL for the page.
Copyright © 1996 - 2012
All rights reserved.
Oracle ©
is the registered trademark of Oracle Corporation.
|
|
