Security Alert for CVE-2011-5035 Released
By Eric P. Maurice-Oracle on Jan 31, 2012
Hello, this is Eric Maurice.
Oracle just released a Security Alert for CVE-2011-5035. In recent weeks, it was widely reported in the security community that a number of programming language implementations and web servers were vulnerable to hash table collision attacks. US-CERT (United States Computer Emergency Readiness Team) has posted a detailed explanation of this issue (VU#903934) on its web site.
This vulnerability affects a significant number of products from Oracle and other vendors. It is particularly severe as it could allow a malicious attacker to create a denial of service condition against the targeted system through an easy unauthenticated attack over the Internet.
Today’s Security Alert provides fixes to address this issue in Oracle WebLogic Server, Oracle iPlanet Web Server, and Oracle Containers for J2EE. As usual, the availability of the fixes is noted in the Patch Availability Documents listed in the Security Alert Advisory. Note that these fixes were not included in the January 2012 Critical Patch Update, which however included the corresponding fix for Oracle GlassFish server.
Due to the threat posed by this vulnerability, particularly because of its ease of exploitation and the wide interest it has received in the hacking community, Oracle strongly recommends that customers apply this Security Alert as soon as possible. Users of affected non-Oracle products should contact their respective vendor as soon as possible to obtain the appropriate fix.
For More Information:
The Advisory for Security Alert for CVE-2011-5035 is located at http://www.oracle.com/technetwork/topics/security/alert-cve-2011-5035-1506603.html