Oracle has stepped outside its usual quarterly security fix cycle to address the latest Apache Struts 2 vulnerability.
Ever since it emerged at the start of September, CVE-2017-9805 has been (in the words of a former Australian prime minister) “a shiver looking for a spine to crawl up”, because so many vendors use Apache to build Web interfaces and bake Struts 2 into their their Web application framework.
Big Red's sprawling product set meant fixes had to be deployed across more than 20 products including Siebel Apps, Oracle Communications Policy Management, 21 financial services products, the WebLogic Server, the MySQL Enterprise Monitor, and its Retail XBRi Loss Prevention software.
While it was doing one out-of-cycle patch, Oracle also plugged CVE-2017-7672, CVE-2017-9787, CVE-2017-9791, CVE-2017-9793, CVE-2017-9804, and CVE-2017-12611.
The unsafe Java deserialisation vulnerability in Struts 2 allowed miscreants to inject code into any server running a Struts application for complete remote code execution.
As infosec experts explained to The Register last week, Web application security is very much a “you snooze, you lose” game: any technical debt at all makes it hard to catch up with patches.
Oracle's not the only company to find auditing a big product suite is tough work. Cisco's scrmabled, too, and in multiple iterations of its advisory has narrowed its exposure down to four products.
Two of those – Cisco Digital Media Manager and the MXE 3500 Series Media Experience Engine – are end-of-life and won't be patched. Cisco Network Performance Analysis has been patched and its Internet video streaming suite awaits its Band-Aid. ®