Oracle has issued an emergency patch to fix a vulnerability it says could bring down HTTP application servers it sells that are based on Apache 2.0 or 2.2.
Attackers can exploit the weakness remotely without a username or password, Oracle said in a security alert issued Thursday.
Products impacted by the bug include Oracle Fusion Middleware 11g Release 1, versions 188.8.131.52.0, 184.108.40.206.0 and 220.127.116.11.0; Oracle Application Server 10g Release 3, version 10.1.3.5.0; and Oracle Application Server 10g Release 2, version 10.1.2.3.0.
The U.S. Government's National Vulnerability Database has assigned a CVSS (Common Vulnerability Scoring System) rating of 7.8, "indicating a complete Operating System denial of service," Oracle said.
But Oracle took issue with that assessment in its security alert.
"A complete Operating System denial of service is not possible on any platform supported by Oracle, and as a result, Oracle has given the vulnerability a CVSS Base Score of 5.0 indicating a complete denial of service of the Oracle HTTP Server but not the Operating System," it stated.