Unexpected patches close DoS holes in Oracle products
A flaw in the way that the Apache web server processes byte range requests also affects Oracle products that incorporate the open source software. To address these problems, the company has released patches outside of its normal quarterly patch cycle.
Oracle's Fusion Middleware 11g Release 1 (versions 11.1.1.3, 11.1.1.4.0, 11.1.1.5) is affected, as is the Enterprise Manager, which contains the Fusion component. Releases 2 and 3 of the Application Server 10g are also vulnerable if the version of HTTPD 2.0 that came with the release has been installed. Oracle recommends that all customers update their software to the latest versions as soon as possible. Further details can be found on a page (log-in required) on the company's support portal.
The flaw enables attackers to cripple a web server via a Denial-of-Service (DoS) attack. However, more than just server corrections are required to fix it: the IETF is considering an HTTP modification.
(crve)