Emergency Workaround For Oracle 0-Day 152
Almost Live writes "Oracle has released an out-of-cycle alert to offer mitigation for a zero-day exploit that's been posted on the Internet. The emergency workaround addresses an unpatched remote buffer overflow that's remotely exploitable without the need for a username and password, and can result in compromising the confidentiality, integrity, and availability of the targeted system." Whoever published the vulnerability and matching exploit code did not contact Oracle first.
Haha! (Score:5, Informative)
Anyone else remember Oracle's ad campaign claiming to be "unbreakable"?
Re:Unbreakable (Score:5, Informative)
This exploit affects the Weblogic product. Oracle only acquired that a few months ago.
It's got squat to do with the DB product.
It's for Weblogic, not Oracle Database (Score:4, Informative)
Re:Another victim of C/C++ lack of array safety (Score:5, Informative)
What C++ doesn't do is test if the index is out of bounds every time you access the array. It makes it faster but you should remember to put the test in if the index isn't guaranteed to be correct.
Re:perhaps if they paid ... (Score:5, Informative)
this is an article about an exploit in the BEA Weblogic J2EE Server, which until very recently had nothing to do with Oracle (the company) at all nor Oracle (the DBMS)
I can't believe all the tards here going off about Oracle's DBMS code base.
Re:Unbreakable (Score:2, Informative)
very true, it is only the patch from 2 weeks ago for the other 45 vulnerabilities we have to worry about :(. God I hate there quarterly patch cycle, too many important security patches mixed up with other stuff that needs extensive testing before deployment.
Re:Another victim of C/C++ lack of array safety (Score:5, Informative)
std::vector is the array replacement. It has good random access speed. It is guaranteed to use contiguous memory. If it's not fast enough that's probably because you are allocating memory because you are storing by value and the STL makes a lot of copies of stored values internally in many operations(see other child post) - and that can be solved without defaulting to pointers by using a custom allocator.
If any of this seems too complex to you, you shouldn't have been bothering with performance-critical C++ yet, and learning more about the language and libraries first. I recommend the book "Efficient C++" [google.be] by Dov Bulka and David Mayhew as an introduction, and "Effective STL" [amazon.com] by Scott Meyers for more on the standard library.
Re:It's for Weblogic, PANIC!!!! (Score:2, Informative)
you should panic if it's for weblogic. Your oracle databases are not open to the Internet. But weblogic, or especially this buggy plugin in your apache, is!
That means: potentially free access to your webserver!
Re:what in the world is mod_wl do? (Score:5, Informative)
It's a module that implements a communication protocol, this protocol enables features that are useful when dealing with clusters, such as load balancing, server affinity (user with an active session always hits the same server), better integration with caches and reverse-proxies, etc...
Re:fuck unbreakable. it sucks. (Score:5, Informative)
Did anyone actually drill through the article to the fix?
The exploit is in BEA WebLogic server, not in the Oracle database. BEA is a web application server company that Oracle acquired about 2 months ago.