Related Stories

Top 5 Stories


Oracle patches denial-of-service vulnerability

02 February 2012

Oracle has pushed out a patch for a denial-of-service vulnerability in the Oracle WebLogic Server, Application Server, and iPlanet Web Server due to hash collisions.

Oracle warned in a security advisory that the vulnerability might be “remotely exploitable without authentication”, which means it might be exploited over a network without the need for username or password. Hash collisions occur when two distinct pieces of data have the same hash value.

The company noted that a fix for the same vulnerability in the GlassFish Server was released in its quarterly patch update last month. In that update, Oracle shipped 78 patches across the full range of its products, including two fixes to its Database Server.

Oracle has come under fire for its Database patching process. Following the January patch update, Alex Rothacker with TeamSHATTER and Amichai Shulman, chief technology officer with Imperva, both criticized the company for only patching two Database vulnerabilities.

“Oracle, what happened? Did you throw in the towel on DBMS fixes? I know it’s not because the Database is finally fixed for good and is now suddenly secure”, Rothacker quipped.

“There are only two vulnerabilities in the database product. Why? Either the database server has reached an amazing maturity in terms of security or Oracle did not have enough resources to include more fixes into the process”, Shulman lamented.

This article is featured in:
Application Security  •  Internet and Network Security


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×