Oracle today released an urgent, out-of-cycle security patch for a critical flaw in the Apache Connector component (mod_weblogic) of the Oracle WebLogic Server (formerly BEA WebLogic Server). The CVE ID is CVE-2008-3257. The CVSS 2.0 score for this vulnerability is 10 out of 10. To put this into perspective, no previous Oracle vulnerability since Oracle began using CVSS base scores in October 2006 has scored a 10 and only 3 previous vulnerabilities (all related to Oracle Jinitiator) have scored 9 or higher.
The major risk associated with this vulnerability is that there are multiple published expliots, which allow for an attacker to compromise the integrity of the web server.