This security alert addresses the security issue CVE-2011-3192, a denial of service vulnerability in Apache HTTPD, which is applicable to Oracle HTTP Server products based on Apache 2.0 or 2.2. This vulnerability may be remotely exploitable without authentication, i.e. it may be exploited over a network without the need for a username and password. A remote user can exploit this vulnerability to impact the availability of un-patched systems.
Please note that Oracle Enterprise Manager includes the Oracle Fusion Middleware component that is affected by this vulnerability. Oracle Enterprise Manager is affected only if the affected Oracle Fusion Middleware version (noted above) is being used. Since a vulnerability affecting Oracle Fusion Middleware versions may affect Oracle Enterprise Manager, Oracle recommends that customers apply the fix for this vulnerability to the Oracle Fusion Middleware component of Oracle Enterprise Manager. For information on what patches need to be applied to your environments, refer to Security Alert CVE-2011-3192 Patch Availability Document, My Oracle Support Note 1357871.1.
Patches and relevant information for protection against this vulnerability can be found at:
My Oracle Support Note 1357871.1
Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Security Alert fixes as soon as possible.
|2011-September-15||Rev 1. Initial Release|
|CVE#||Component||Protocol||Sub- component||Remote Exploit without Auth.?||CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)||Supported Versions Affected||Notes|
|Base Score||Access Vector||Access Complexity||Authentication||Confidentiality||Integrity||Availability|
|CVE-2011-3192||Oracle HTTP Server||HTTP||-||Yes||5.0||Network||Low||None||None||None||Partial+||10.1.2.3 (Companion CD), 10.1.3.5 (Companion CD), 184.108.40.206, 220.127.116.11, 18.104.22.168||See Note 1|