Sign in / up

back to article If you haven't patched WebLogic server console flaws in the last eight days 'assume it has been compromised'

Last week Oracle released one of its mammoth quarterly patch dumps - with 402 fixes. Well, it turns out that if you missed one and you're running WebLogic 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0, you've probably already been tagged by hackers. On Thursday Johannes Ullrich, Dean of Research at the SANS …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Lorribot

    Oracle is making Microsoft look good

    5 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      This isn't exactly new news. Oracle has always been horrific for security. Certainly vs Microsoft's app, web and DB servers.

      3 0 Reply
  2. Anonymous Coward
    Unhappy

    White hats need to look out as well...

    > "At this point, we are seeing the scans slow down a bit," he explained. But they have reached "saturation," meaning that all IPv4 addresses have been scanned for this vulnerability. If you find a vulnerable server in your network: Assume it has been compromised."

    And the corollary is: if you are a hacker and you find a new server that is vulnerable then it's likely a honeypot.

    2 0 Reply
  3. Anonymous Coward
    IT Angle

    Damned

    It's become damned if you do and damned if you don't.

    Don't patch until you've tested your implementation and have your system hacked or patch without testing and have your system break.

    No way out.

    7 0 Reply
    1. Claptrap314 Silver badge
      Reply Icon

      Re: Damned

      Don't use Oracle, Microsoft, or Adobe?

      That will give you a bit of breathing space, I would think.

      0 1 Reply
  4. Anonymous Coward
    Anonymous Coward

    WebLogic?

    Is that still a thing? Does anyone really still use it? I remember a long time ago when EJB briefly ruled corporate IT - WebLogic was expensive, bloated, buggy, slow and pointless, but people used it because it was a tiny bit better than IBM’s grim bundle of failure, WebSphere.

    Has anything changed?

    3 0 Reply
    1. czechitout
      Reply Icon

      Re: WebLogic?

      Many Oracle COTS still come with WebLogic packaged as the web server.

      Another reason to move to the cloud and away from Oracle.

      1 1 Reply
      1. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Re: WebLogic?

        How does moving to the cloud make something more secure?

        0 0 Reply
        1. Anonymous Coward
          Reply Icon
          Anonymous Coward

          Re: WebLogic?

          The "secure" relates to the income stream of the cloud vendor; nothing else.

          2 0 Reply
  5. snellasaurus

    Quite a few ISV apps and also in house developed apps only run properly on WLS too (so much for the write once run anywhere dream). Expect quite a long drawn out death for this one.

    0 0 Reply
  6. JoshOvki

    It seems like a fairly serious bug, but who in their right mind is exposing their admin console over the internet?!

    1 0 Reply
    1. Claptrap314 Silver badge
      Reply Icon

      Those whose right minds have shriveled to peanuts, of course.

      2 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like