Emergency Workaround For Oracle 0-Day

Almost Live writes "Oracle has released an out-of-cycle alert to offer mitigation for a zero-day exploit that's been posted on the Internet. The emergency workaround addresses an unpatched remote buffer overflow that's remotely exploitable without the need for a username and password, and can result in compromising the confidentiality, integrity, and availability of the targeted system." Whoever published the vulnerability and matching exploit code did not contact Oracle first.

Haha!

[Anonymous Coward]

Anyone else remember Oracle's ad campaign claiming to be "unbreakable"?

Re:Unbreakable

[dannycarroll]

This exploit affects the Weblogic product. Oracle only acquired that a few months ago.

It's got squat to do with the DB product.

It's for Weblogic, not Oracle Database

[Samari711]

not nearly as panic inducing as I first thought, although I'm sure my program management is going to get all bent out of shape about it anyway. Bad news if you Apache with WL though.

Re:Another victim of C/C++ lack of array safety

[SpazmodeusG]

C++ does know the size of arrays. That's why you call call delete [] myArray; without specifying the size of the array.
What C++ doesn't do is test if the index is out of bounds every time you access the array. It makes it faster but you should remember to put the test in if the index isn't guaranteed to be correct.

Re:perhaps if they paid ...

[rubycodez]

this is an article about an exploit in the BEA Weblogic J2EE Server, which until very recently had nothing to do with Oracle (the company) at all nor Oracle (the DBMS)

I can't believe all the tards here going off about Oracle's DBMS code base.

Re:Unbreakable

[Anonymous Coward]

very true, it is only the patch from 2 weeks ago for the other 45 vulnerabilities we have to worry about :(. God I hate there quarterly patch cycle, too many important security patches mixed up with other stuff that needs extensive testing before deployment.

Re:Another victim of C/C++ lack of array safety

[MadKeithV]

The thread is talking about arrays, and you mention std::list. Right, C++ standard library golden rule #1: always use std::vector, unless you have a really, REALLY, REALLY good reason to use something else. See also one of the other child posts.
std::vector is the array replacement. It has good random access speed. It is guaranteed to use contiguous memory. If it's not fast enough that's probably because you are allocating memory because you are storing by value and the STL makes a lot of copies of stored values internally in many operations(see other child post) - and that can be solved without defaulting to pointers by using a custom allocator.
If any of this seems too complex to you, you shouldn't have been bothering with performance-critical C++ yet, and learning more about the language and libraries first. I recommend the book "Efficient C++" [google.be] by Dov Bulka and David Mayhew as an introduction, and "Effective STL" [amazon.com] by Scott Meyers for more on the standard library.

Re:It's for Weblogic, PANIC!!!!

[Gunstick]

you should panic if it's for weblogic. Your oracle databases are not open to the Internet. But weblogic, or especially this buggy plugin in your apache, is!
That means: potentially free access to your webserver!

Re:what in the world is mod_wl do?

[vhogemann]

It's a module that implements a communication protocol, this protocol enables features that are useful when dealing with clusters, such as load balancing, server affinity (user with an active session always hits the same server), better integration with caches and reverse-proxies, etc...

Re:fuck unbreakable. it sucks.

[technomom]

Did anyone actually drill through the article to the fix?

The exploit is in BEA WebLogic server, not in the Oracle database. BEA is a web application server company that Oracle acquired about 2 months ago.