Oracle has had an interesting record for the past three and a half years when it comes to security. Since January 2005, Oracle has not had to release an out-of-cycle security alert for its products.
That record ended this week with the public report of a serious vulnerability in Oracle's BEA WebLogic Web server, which rates a 10 on the Common Vulnerability Scoring System (CVSS) scale.
The vulnerability could be remotely exploited by an attacker without authentication and could leave a WebLogic server at the mercy of a hacker.https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i"Unfortunately, the person(s) who published this vulnerability and associated exploit codes did not contact Oracle before publicly disclosing this issue," Eric Maurice, manager for security in Oracle's global technology business unit, noted in a blog post. "This means that the vulnerability was made public before providing Oracle an opportunity to develop an appropriate fix for this issue and notify its customers."
The out-of-cycle alert comes barely two weeks after Oracle's July critical patch update, or CPU, which is a quarterly release for security updates to Oracle products. The July CPU was also the first one that included the BEA WebLogic server since Oracle acquired BEA earlier this year.
Ryan Barnett, director of application security at Breach, a software vendor in this market, noted that though the alert is an out-of-cycle patch for Oracle, it's not uncommon for BEA and not necessarily more severe.
"I would not attribute the timing of this alert to mean that it is any more severe than other high alerts issued by Oracle," Barnett told InternetNews.com. "Keep in mind that Oracle acquired BEA back in January of this year," he explained. "As you might expect, it often takes some time for organizations that have merged to iron out all of their processes, and in some cases they remain somewhat autonomous."
Barnett argued that while Oracle aims to release only four CPUs a year, it appears that the BEA division is on its own advisory patch alert cycle for its products. As evidence, Barnett pointed to BEA's alert repository, which already shows 30 alerts released for 2008.