has released an out-of-band patch to fix a gaping security hole in the
Oracle WebLogic Node Manager and, warning that an attacker could launch
remote attacks over a network without the need for a username and
The patch follows the public release of exploit code as part of the recent Week of Web Server Bugs.
From Oracle’s advisory:
successful exploitation of this vulnerability may result in a full
compromise of the targeted server on Windows. On other platforms (Unix,
Linux, etc.), the attacker may gain access to the targeted server with
the same privileges as the WebLogic server processes. This kind of
vulnerability further highlights the need to use “least privilege” as
much as possible on operating systems for running sensitive processes
Oracle is “strongly recommending” that this fix is applied immediately.
Here is the link to Oracle’s patch information. And here is the exploit code released by Evgeny Legerov.
It is very rare for Oracle to ship patches outside of its quarterly Critical Patch Update schedule.