Last week, Equifax identified an Apache Struts 2 vulnerability, CVE-2017-5638, as having been exploited in a significant security incident. Oracle distributed the Apache Foundation’s fixes for CVE-2017-5638 several months ago in the April 2017 Critical Patch Update, which should have already been applied to customer systems well before this breach came to light.
Recently, the Apache Foundation released fixes for a number of additional Apache Struts 2 vulnerabilities, including CVE-2017-9805, CVE-2017-7672, CVE-2017-9787, CVE-2017-9791, CVE-2017-9793, CVE-2017-9804, and CVE-2017-12611. Oracle just published Security Alert CVE-2017-9805 in order to distribute these fixes to our customers. Please refer to the Security Alert advisory for the technical details of these bugs as well as the CVSS Base Score information.
Oracle strongly recommends that customers apply the fixes contained in this Security Alert as soon as possible. Furthermore, Oracle reminds customers that they should keep up with security releases and should have applied the July 2017 Critical Patch Update (the most recent Critical Patch Update release).
The next Critical Patch Update release is on October 17, 2017.
For More Information:
The Security Alerts and Critical Patch Updates page is located at https://www.oracle.com/technetwork/topics/security/alerts-086861.html
A blog entry titled "Take Advantage of Oracle Software Security Assurance" is located at https://blogs.oracle.com/oraclesecurity/take-advantage-of-oracle-software-security-assurance. This blog entry provides a description of the Critical Patch Update and Security Alert programs and general recommendations around security patching.