Oracle Addresses Apache Struts Flaw

Monday, September 25, 2017 @ 04:09 PM gHale


Oracle released patches for its products to fix vulnerabilities left from the Apache Struts 2 framework.

The flaw’s case number is CVE-2017-9805, for which proof-of-concept (PoC) code published within hours after a patch released by Apache Struts developers Sept. 5.

RELATED STORIES
Oracle Moves to Boost Cloud Security
Misconfigured Port Opens Door to Attackers
Black Hat: ICS Security Movement
Black Hat: Hacking a Wind Farm

The vulnerability was the result of how Struts deserialized untrusted data, which allowed remote code execution and it affected applications that use the REST plugin with the XStream handler for XML payloads.

Oracle released a list of products that use Apache Struts suffered from exposure.

The list includes Oracle’s MySQL Enterprise Monitor, Communications Policy Management, FLEXCUBE Private Banking, Retail XBRi, Siebel, WebLogic Server, and various Financial Services and Insurance products.

The vulnerability exploited in the wild is not the only Apache Struts issue addressed in Oracle products.

Oracle’s latest updates also fix other Struts vulnerabilities resolved by the Apache Software Foundation.

US-CERT also advised users to review Oracle’s security alert and apply the necessary updates.



Leave a Reply

You must be logged in to post a comment.