-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2012-0013 Title: Denial of Service Vulnerability in Oracle WebLogic Server, Application Server (OC4J) and iPlanet Web Server [1-2] Version history: 02.02.2012 Initial publication Summary ======= Oracle has released a security advisory about a denial of service vulnerability in Oracle WebLogic Server, Oracle Application Server (OC4J) and Oracle iPlanet Web Server due to hashing collisions. No authentication is required to exploit this vulnerability, so it may be exploited over a network without the need for a username and password. A remote user can exploit this vulnerability to affect the system availability. Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Security Alert fixes as soon as possible [4]. CVE-2011-5035 CVSS v2 Base Score:5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:N/I:N/A:P)[6]) Please see [3] for further details. Vulnerable systems ================== Oracle Application Server 10g Release 3, version 10.1.3.5.0 Oracle WebLogic Server, versions 9.2.4, 10.0.2, 11gR1 (10.3.3, 10.3.4, 10.3.5), 12cR1 (12.1.1) Oracle iPlanet Web Server 7.0 and Oracle Java System Web Server 6.1 Oracle Containers for J2EE version 10.1.3.5 What can you do? ================ Security Alert patches are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. Oracle recommends that customers plan product upgrades to ensure that Security Alert patches are available for the versions they are currently running.[4] Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Security Alert. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. See [1] for further details. What to tell your users? ======================== N/A More information ================ [1] http://www.oracle.com/technetwork/topics/security/alert-cve-2011-5035-1506603.html [2] http://blogs.oracle.com/security/entry/security_alert_for_cve_20111 [3] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-5035 [4] https://login.oracle.com/mysso/signon.jsp Best regards, CERT-EU CERT-EU Pre-configuration Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 (DISCLAIMER: CERT-EU, the CERT for the EU institutions, is currently in its setup phase, until May 2012. Services are provided in a pilot fashion, and are not yet fully functional. Announcements, alerts and warnings are sent out in best effort manner, and to contact information currently known to us. We apologise if you are not the correct recipient, or if you had already been warned about this issue from another source . Format, content and way of alerting are subject to change in the future. Contact information or even the team name may change as well.) -----BEGIN PGP SIGNATURE----- Version: BCPG v1.39 iQJXBAEBAgBBBQJPKnyQOhxDRVJUIGZvciB0aGUgRXVyb3BlYW4gSW5zdGl0dXRp b25zIDxjZXJ0LWV1QGVjLmV1cm9wYS5ldT4ACgkQJ6QGykasQ4NtfA//RJwTvE5m gsCwdctElaQC0ukfXxXedzYc7tUu3x/dRJmqgd4mnzl2xtVTsnFfQkYToO+RG6Bs eIrxuq+NuhO4U7nBVcCOkdcRHfwn6HG/OdqNINElec9XUxXAbo6u983BctwpNE2a ScX7oJVnaIu4qfVeJuy09WmgnAdAURpSeXyQ5vuoRYHctzYH9G9HtUHPDkwCyxHM Htp6lTOplxWuiaHeSHIbw9kzgTCqoqJEc06s8j7oGBHn9yXPwtx03k9aTmA8qKXZ GyImxXYBmoVdfTVuxuocmxM3h+q0y+iXBj9AzkF+WVgAJsNSfdbx2/jwML96J83O jlfLNJwv+xl4gBzzqkF0JiJw139s56xZll4XXYhICziT8qNgvzj0nuGo0XBiWf3m 823Fx7f7KYyEQHN9at7bXz6UYfp1AR8zRI7AqjGwFztpw4ZkvwEPQ+dsJasL5L0T Q0pMTTCQw7oCvd/en43sSIoYIhwSlwx6cQFKVljrYuE7gbmnxu+wNDWvZ7lKR/I6 SYb5RsMiqPgNd4nTheIrDSv8LwJpHzwRtGaUnVMACLc54w1V8HVPdaWoDJqK2zSe zdiKEhyS2MC+ZpRMXecqYwYhsy3GapuF3N2HwDu/L4FTR/c8DO3in2gmMoVuxd3H DjOAT7o1czFuWp8l9I3sd0hRVKba0qyWcRk= =qsKI -----END PGP SIGNATURE-----