Security Alert for CVE-2011-3192 Released
By Eric P. Maurice-Oracle on Sep 15, 2011
Hi, this is Eric Maurice.
Oracle just released a Security Alert for CVE-2011-3192, also known as “Apache Killer.” This vulnerability was recently discovered in the Apache HTTP Server and publicly disclosed. It affects a number of Oracle products through their implementation of Apache, including Oracle Application Server and Oracle Fusion Middleware (a list of the affected products is provided in the Security Alert Advisory).
The National Vulnerability Database has reported a CVSS Base Score for this vulnerability of 7.8 indicating a complete Operating System denial of service (DOS); however a complete Operating System denial of service is not possible on any platform supported by Oracle, and as a result, Oracle has given the vulnerability a CVSS Base Score of 5.0 indicating a complete DOS of the Oracle HTTP Server but not the Operating System.
This vulnerability allows a malicious attacker to hang the Oracle HTTP Server product via an easy-to-deploy, unauthenticated network attack. Due to the criticality of this vulnerability and particularly its ease of exploitation, Oracle decided to release fixes for the affected and supported products as soon as the testing for these fixes was completed, before the release of the next scheduled Critical Patch Update on October 18th 2011.
Oracle recommends that all affected customers apply the fixes provided by this Security Alert as soon as possible in order to maintain their “security in depth” posture, even if they have applied some of the workarounds that have been published on the Internet, as Oracle has found that many of these workarounds can cause regression issues across the stack.
This recommendation is also applicable to other vendors’ products which may contain this vulnerability as a result of their implementation of the Apache HTTP Server. Organizations should quickly determine which of their systems is vulnerable, obtain the necessary patches from their respective suppliers, and plan to quickly apply these patches, especially in external facing systems.
For More Information:
- Security Alert CVE-2011-3192 is located at http://www.oracle.com/technetwork/topics/security/alert-cve-2011-3192-485304.html.
- More information about Oracle Software Security Assurance is located at http://www.oracle.com/us/support/assurance/index.html