본문 바로가기

취약점 정보2

Oracle Security Alert Advisory - CVE-2017-9805

728x90

The Apache Foundation’s fixes for CVE-2017-5638, an Apache Struts 2 vulnerability identified by Equifax in relation to Equifax’s recent security incident, were distributed by Oracle to its customers in the April 2017 Critical Patch Update, and should have already been applied to customer systems.

Subsequent to the Equifax breach, the Apache Foundation released fixes for a number of additional Apache Struts 2 vulnerabilities (CVE-2017-9805, CVE-2017-7672, CVE-2017-9787, CVE-2017-9791, CVE-2017-9793, CVE-2017-9804, and CVE-2017-12611). Oracle is distributing these fixes as part of this Security Alert for the benefit of our customers.

Oracle strongly recommends that the fixes contained in this Security Alert be applied without delay.

Please note that the vulnerabilities in this Security Alert are scored using version 3.0 of Common Vulnerability Scoring Standard (CVSS).

This Security Alert is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available at: http://www.oracle.com/technetwork/topics/security/cpufaq-098434.html#CVRF.

Security Alert Supported Products and Versions

Patches released through the Security Alert program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. We recommend that customers plan product upgrades to ensure that patches released through the Critical Patch Update program are available for the versions they are currently running.

Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Security Alert. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.

Supported Database, Fusion Middleware, Oracle Enterprise Manager Base Platform (formerly "Oracle Enterprise Manager Grid Control") and Collaboration Suite products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.

Products in Extended Support

Patches released through the Security Alert program are available to customers who have Extended Support under the Lifetime Support Policy. Customers must have a valid Extended Support service contract to download patches released through the Security Alert program for products in the Extended Support Phase.

References

Oracle Critical Patch Updates and Security Alerts main page  [ Oracle Technology Network ]

Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions [ CPU FAQ ]  

Risk Matrix definitions   [ Risk Matrix Definitions ]

Use of Common Vulnerability Scoring System (CVSS) by Oracle   [ Oracle CVSS Scoring ]

English text version of the risk matrices   [ Oracle Technology Network ]

CVRF XML version of the risk matrices   [ Oracle Technology Network ]

The Oracle Software Security Assurance Blog   [ The Oracle Software Security Assurance Blog ]

List of public vulnerabilities fixed in Critical Patch Updates and Security Alerts   [ Oracle Technology Network ]

Software Error Correction Support Policy   [ My Oracle Support Note 209768.1 ]

Affected Products and Versions

Please Refer to Security Alert CVE-2017-9805 Products and Versions for a list of Oracle products and versions that are affected by this vulnerability. The Security Alert CVE-2017-9805 Products and Versions page may be updated if new information becomes available.

 

728x90