Oracle issues rare out-of-band update for Apache DDoS vulnerability

Filed Under: Featured, Oracle, Vulnerability

Oracle, the giant enterprise database company - and, of course, owner of the erstwhile Sun Microsystems - has just published an out-of-band security update.

This is only the fifth time Oracle has issued an alert outside its routine quarterly patch cycle since introducing its own version of Patch Tuesday at the start of 2005.

The update introduces an updated version of the Apache web server, httpd, to Oracle's Fusion Middleware and Application Server products. The former product includes Apache httpd 2.2; the latter includes Apache httpd 2.0.

Apache httpd was recently discovered to be vulnerable to an easily-exploited denial of service attack. The vulnerability, CVE-2011-3192, allowed even a single web client to trigger a huge number of simultaneous requests for large amounts of data. The flaw was exploited by sending a request for multiple parts of the same file at the same time.

(The Range feature of the HTTP protocol was intended to make it easy for web clients to restart interrupted downloads where they left off, or to permit large files to be fetched piecemeal and stitched together later. Apache httpd made it easy to misuse this feature by tolerating redundant Range requests which asked for many large and overlapping parts of a single file.)

Oracle doesn't say on its public-facing web pages exactly how it patched the flawed Apache versions in its products.

The Apache Software Foundation has actually issued two official patches for httpd 2.2 relevant to the so-called byte-range flaw. Version 2.2.20 came out at the end of August, but that patch was recently superseded by 2.2.21, which is effect a patch for the 2.2.20 patch. Apache describes 2.2.21 as "[including] fixes to the patch introduced in release 2.2.20 for protocol compliance, as well as the MaxRanges directive."

It's not clear whether Oracle's out-of-band fix includes the patch-to-the-patch, which appeared only three days ago.

And the previous official Apache httpd version, 2.0, hasn't been patched since May, when 2.0.64 came out. Oracle, one assumes, has done its own back-port of the fix it applied to 2.2.

The fact that a patch-to-the-patch was necessary will no doubt cause more conservative IT administrators to say, "See. I told you that patches should never be rushed."

In this case, however, I consider the glass half-full, not half-empty. I'd argue that the first patch greatly improved the situation, despite being imperfect. The second patch simply improved the improvement further.

However conservative you might be, if you're an Oracle user, this patch is definitely recommended in a hurry. The general unwillingness of Oracle to deviate from its once-every-three-months patch cycle spells one word, "Importance."

As Oracle itself points out, in bold characters:

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Security Alert fixes as soon as possible.

Sysadmins, there you have it. A little something for the weekend!

, , , , , , , ,

You might like

2 Responses to Oracle issues rare out-of-band update for Apache DDoS vulnerability

  1. exasperated · 1132 days ago

    out-of-band != out-of-cycle for crying-out-loud!

    • Paul Ducklin · 1131 days ago

      Whether you like it or not, the terms "out of band" and "out of cycle" are used synonymously with respect to patches of this sort by professional writers of good standing, and by techies in the pub. So either will do just fine in this context.

      Out of band means, loosely speaking, "not via the regular channel of communication", which is exactly what has happened here. And out of cycle means "not in the scheduled timeframe or frequency for communication," which is what has happened here.

      I happen to prefer "out-of-band" because it implies - to me - a greater sense of urgency, importance, novelty, specialness.

      Oh, and the correct orthography isn't "for crying-out-loud", for crying out loud. You're not using it as an adjective, so you need to write "for crying out loud".

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog