By Dan Goodin
8th February 2010
Oracle issued an emergency patch for its WebLogic Server almost two
weeks after a white-hat hacker disclosed a vulnerability that allows
criminals to remotely execute commands on the webserver with no
The vulnerability in the Node Manager component of Oracle WebLogic
Server can be exploited by carrying out commands over a network without
requiring a username and password, Oracle warned late last week. The
company went through the unusual step of issuing a patch outside its
normal update cycle.
The out-of-band release came 12 days after Evgeny Legerov, CEO of
Russian security firm Intevydis, disclosed a WebLogic vulnerability that
sounded almost identical to the one described in the Oracle advisory.
Legerov recently blogged his intention to do away with so-called
"responsible disclosure" practices, in which researchers privately
notify software makers about bugs in their products to prevent criminals
from exploiting the defects before they're fixed.
Intevydis was dispensing with the practice "because it is enforced by
vendors and it allows vendors to exploit security researches to do QA
work for free," he wrote.
Did a friend send you this? From now on, be the
first to find out! Subscribe to InfoSec News