Oracle late yesterday issued a rare out-of-cycle patch for a public flaw in its application server products that can be exploited remotely, without authentication.
The emergency patch replaces workarounds the vendor issued last week in a rare security warning about a vulnerability in the Apache plug-in for the application servers, Oracle WebLogic (formerly BEA WebLogic) Server and Express products.
Oracle advised administrators to apply the patch immediately, which replaces the vulnerable Apache plug-in with an updated version "to remedy this issue without the use of workarounds," it said.
The warning said that the flaw could be exploited remotely "over a network without the need for a username and password," compromising "the confidentiality, integrity and availability of the targeted system".
Accordingly the flaw was rated 10 on the Common Vulnerability Scoring System (CVSS) the risk evaluation framework's most severe rating.
This is the first time in three years, since Oracle began patching its systems in a regular quarterly update cycle, it has issued a security warning and patch outside its normal patch cycle.
The last Critical Patch Update Oracle issued was mid-July, but none of the flaws fixed then were as severe as this most recent Apache plug-in vulnerability.
-
Organizations shift away from Oracle Java as pricing changes biteNews A survey from Azul Systems finds that, along with cost, customers cite a preference for open source and the threat of a Java usage audit
-
Why Java 17 growth is ‘exploding’News Java 17 is now the most popular LTS version, according to application data from New Relic, but what's driving this growth?
-
SuiteWorld 2023: NetSuite's day-two announcementsLive Blog Keep up-to-date with all the day-two announcements from NetSuite SuiteWorld 2023
-
Microsoft defends “negligent” security approach that prolonged vulnerability fix for five monthsNews The tech giant has refuted claims that its practices have left customers “in the dark”
-
Ubuntu shifts to four-week update cycleNews Critical fixes will also come every two weeks, mitigating the issues involved with releasing prompt patches on the old three-week cadence
-
Can Oracle really be Linux's knight in shining armor?Opinion The self-proclaimed champion of open source freedom would like you to forget about its history
-
Microsoft angers admins as April Patch Tuesday delivers password feature without migration guidanceNews Security fixes include a zero day exploited by a ransomware group and seven critical flaws
-
Oracle’s Java subscription changes spark concerns over cost hikes for smaller businessesNews Smaller businesses could incur significant cost hikes as high as 1,400% with most new customers expected to pay at least double
