Recently, Oracle is struggling to create an emergency patch for a severe vulnerability in the company’s WebLogic server, as exploit code is circulating on the Web. The first off-schedule warning since it introduced a regularly scheduled patch release cycle more than three years ago.

The vulnerability can be exploited over a network without a need for a username or a password. The problem lies in the Apache plugin for the Oracle WebLogic Server and Express products (formerly known as BEA WebLogic), both application servers.

The flaw can result in compromising the confidentiality, integrity and availability of the targeted system. The problem scores a 10.0, the most serious rating, on the CVSS scale (Common Vulnerability Scoring System), which is a framework used to evaluate the risks of a particular flaw.

The exploit code was released after July 15, the last time Oracle issued patches. The person who published exploit code did not warn Oracle in advance. Oracle has advised administrators to implement a workaround while it is working to create a patch.

Releasing or using exploit code just after patches have been issued is a strategy often employed against other firms such as Microsoft, which patches on the second Tuesday of every month. Undoubtedly, hackers are trying to maximize the amount of time they can take advantage of a flaw before a company issues patches again. However, Microsoft has been known to issue out-of-cycle patches for highly dangerous flaws.

Thank you for visiting DoubleDT.com