Oracle late yesterday issued a rare out-of-cycle patch for a public flaw in its application server products that can be exploited remotely, without authentication.
The emergency patch replaces workarounds the vendor issued last week in a rare security warning about a vulnerability in the Apache plug-in for the application servers, Oracle WebLogic (formerly BEA WebLogic) Server and Express products.
Oracle advised administrators to apply the patch immediately, which replaces the vulnerable Apache plug-in with an updated version "to remedy this issue without the use of workarounds," it said.
The warning said that the flaw could be exploited remotely "over a network without the need for a username and password," compromising "the confidentiality, integrity and availability of the targeted system".
Accordingly the flaw was rated 10 on the Common Vulnerability Scoring System (CVSS) the risk evaluation framework's most severe rating.
This is the first time in three years, since Oracle began patching its systems in a regular quarterly update cycle, it has issued a security warning and patch outside its normal patch cycle.
The last Critical Patch Update Oracle issued was mid-July, but none of the flaws fixed then were as severe as this most recent Apache plug-in vulnerability.
