Oracle is working to develop a patch for a major security hole
in its WebLogic product that could allow anyone to gain access to
affected IT systems. It has recommended that users deploy a
workaround in the meantime to protect systems, while it develops a
permanent patch.
The company issued a security alert after the hole in WebLogic
was revealed to internet users. The vulnerability affects the
Apache Connector component (mod_weblogic) of the Oracle Weblogic
Server (formerly BEA WebLogic Server). Oracle warned that this
vulnerability could be remotely exploited without authentication,
which means a hacker could gain access to the server without a
username and password.
As an interim step, until it releases the patch,
Oracle has published a workaround, which reconfigures the
Apache component to reject invalid data.
Misconfiguration in application server software can often lead
to lower levels of security, which makes the server open to hacking
attacks. Research from enterprise application security specialist
Fortify' revealed that certain configurations of Apache Axis,
Apache Axis 2, IBM WebSphere 6.1 and Microsoft .NET Web Services
Enhancements (WSE) 2.0 and Microsoft Windows Communication
Foundation (WCF), adversely affect security. Poor configuration
could lead to weak authentication and weak encryption, Fortify
warned.