Privacy and security news and privacy and security widget

A workaround emerged from Oracle as news circulated of a remotely exploitable flaw, without requiring authentication, involving the WebLogic platform.Both the WebLogic Server and WebLogic Express products, acquired by Oracle when the company purchased BEA, suffer from the newly disclosed vulnerability. SANS internet Storm Center said the problem stems from the Apache Connector used by the products. A WebLogic advisory noted the flaw could be exploited without authentication. Sites using Apache servers that are already configured with the mod_security module are protected from this vulnerability by the default core ruleset, according to the advisory. Using mod_security with the WebLogic plug-in for Apache serves as one workaround suggested by Oracle. The other workaround calls for an edit to httpd.conf and a restart: It is possible to configure Apache and avert this vulnerability by rejecting certain invalid requests. To do so, add the following parameter to the httpd.conf file and