Yesterday, Oracle issued an urgent Security Alert about a vulnerability in Oracle’s WebLogic application server (formerly BEA WebLogic). The company also provided a workaround for the vulnerability that WebLogic customers can implement until developers create a patch for the flaw. This is the first time in more than three years that Oracle has issued a security alert outside of its regularly scheduled Critical Patch Updates, making this a “must fix” for WebLogic users.
The story behind the unusual alert was broken yesterday by Eric Maurice on the Oracle Global Product Security Blog. For those of you who do not know him, Maurice anchors this blog and has made it one of the best sources of information about securing Oracle products on the web. As Maurice explained in yesterday’s post, both the vulnerability and the code to exploit it was posted on public forums before it was sent to Oracle (a definite “no no” that separates ethical hackers from the black hats of the business). To make matters worse, the exploit code hit the forums shortly after Oracle released its last Critical Patch Update on July 15. This is forcing Oracle to issue an out of cycle security update.
If you do not subscribe to the feed for the Oracle Global Product Security Blog, I would encourage you to do so. Its timely warnings could save you from a nasty breach of your JD Edwards applications.