Oracle released patches for its products to fix vulnerabilities left from the Apache Struts 2 framework.
The flaw’s case number is CVE-2017-9805, for which proof-of-concept (PoC) code published within hours after a patch released by Apache Struts developers Sept. 5.
The vulnerability was the result of how Struts deserialized untrusted data, which allowed remote code execution and it affected applications that use the REST plugin with the XStream handler for XML payloads.
Oracle released a list of products that use Apache Struts suffered from exposure.
The list includes Oracle’s MySQL Enterprise Monitor, Communications Policy Management, FLEXCUBE Private Banking, Retail XBRi, Siebel, WebLogic Server, and various Financial Services and Insurance products.
The vulnerability exploited in the wild is not the only Apache Struts issue addressed in Oracle products.
Oracle’s latest updates also fix other Struts vulnerabilities resolved by the Apache Software Foundation.
US-CERT also advised users to review Oracle’s security alert and apply the necessary updates.