The patch provides an update of the Apache web server HTTPD to Oracle’s Fusion Middleware and Application Server products. The former includes Apache HTTPD 2.2, and the latter includes Apache HTTPD 2.0. An attack tool that exploits the vulnerability called the “Apache killer” has been seen in the wild.
"This vulnerability may be remotely exploitable without authentication, i.e., it may be exploited over a network without the need for a username and password. A remote user can exploit this vulnerability to impact the availability of unpatched systems….Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply security alert fixes as soon as possible," Oracle said in an advisory.
This is only the fifth time that Oracle has issued an alert outside its routine quarterly patch cycle since introducing the quarterly patch in 2005, according to security firm Sophos.
“The vulnerability…allowed even a single web client to trigger a huge number of simultaneous requests for large amounts of data. The flaw was exploited by sending a request for multiple parts of the same file at the same time”, Sophos analyst Paul Ducklin explained in a blog.
“However conservative you might be, if you're an Oracle user, this patch is definitely recommended in a hurry. The general unwillingness of Oracle to deviate from its once-every-three-months patch cycle spells one word, ‘Importance’”, Ducklin added.