Cybercrime

Oracle Releases Patches for Exploited Apache Struts Flaw

Oracle has released patches for many of its products to address several vulnerabilities in the Apache Struts 2 framework, including one that has been exploited in the wild for the past few weeks.

Eduard Kovacs

September 25, 2017

Oracle has released patches for many of its products to address several vulnerabilities in the Apache Struts 2 framework, including one that has been exploited in the wild for the past few weeks.

The actively exploited flaw is CVE-2017-9805, for which proof-of-concept (PoC) code was published within hours after a patch was released by Apache Struts developers on September 5. Several security firms reported seeing attacks shortly after.

The vulnerability, caused due to the way Struts deserializes untrusted data, allows remote code execution and it affects applications that use the REST plugin with the XStream handler for XML payloads.

There is a long list of Oracle products that use Apache Struts and which are exposed to attacks due to flaws in the open-source development framework. The list includes Oracle’s MySQL Enterprise Monitor, Communications Policy Management, FLEXCUBE Private Banking, Retail XBRi, Siebel, WebLogic Server, and various Financial Services and Insurance products.

The vulnerability exploited in the wild is not the only Apache Struts issue addressed in Oracle products. The company’s latest updates also fix several other Struts vulnerabilities resolved recently by the Apache Software Foundation, including CVE-2017-7672, CVE-2017-9787, CVE-2017-9791, CVE-2017-9793, CVE-2017-9804 and CVE-2017-12611.

“Oracle strongly recommends that customers apply the fixes contained in this Security Alert as soon as possible,” Eric Maurice, director of security assurance at Oracle, wrote in a blog post.

US-CERT has also advised users to review Oracle’s security alert and apply the necessary updates.

Oracle highlighted the fact that the Apache Struts vulnerability exploited to breach the systems of U.S. credit reporting agency Equifax (CVE-2017-5638) was patched in its products several months ago with the release of the April 2017 Critical Patch Update (CPU).

The company has also advised customers to install the fixes released with the latest CPU, the one from July, and keep an eye out for the next round of patches, scheduled for October 17.

Written By Eduard Kovacs

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Latest News

Click to comment

Webinar: How to Build Resilience Against Emerging Cyber Threats

Thursday, March 16, 2023

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Webinar: Understanding Hidden Third-Party Identity Access Risks

Tuesday, March 28, 2023

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Tackling the Challenge of Actionable Intelligence Through Context

Making threat intelligence actionable requires more than automation; it also requires contextualization and prioritization. (Marc Solomon)

Malware Trends: What’s Old Is Still New

Many of the most successful cybercriminals are shrewd; they want good ROI, but they don’t want to have to reinvent the wheel to get it. (Derek Manky)

Are Encryption and Zero Trust Breaking Key Protections?

Compliance and ZTNA are driving encryption into every aspect of an organization’s network and enterprise and, in turn, forcing us to change how we think about protecting our environments. (Matt Wilson)

How the Best CISOs Drive Operational Resilience

Cyberattacks have exposed a myriad of vulnerabilities in our healthcare infrastructure, and will continue to do so as new and innovative medical technologies are developed. (Galina Antova)

Defeating the Deepfake Danger

Deepfakes are becoming increasingly popular with cybercriminals, and as these technologies become even easier to use, organizations must become even more vigilant. (Derek Manky)

Application Security

Source Code Security Firm Cycode Launches With $4.6 Million in Funding

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Eduard KovacsSeptember 24, 2019