Have you applied the Oracle Security Alert for CVE-2018-11776 yet?
Oracle release security alerts in-between their quarterly Critical Patch Updates to shore up issues in their systems. These are NOT automatically applied for you though meaning that you could be vulnerable. The latest Oracle security alert (a vulnerability in Apache Struts 2) was released on the 31st August meaning you could have been at risk for over a month.
This Security Alert addresses CVE-2018-11776, a vulnerability in Apache Struts 2 which is rated more serious than the flaw that let hackers steal 200,000 credit card details from Equifax.
And even though Oracle released their fix on 31 August, it is likely that most customers are still vulnerable given that most organisations need to apply their fixes/patches to test and pre-production systems and then complete acceptance testing before going live to protect themselves. The time and effort required to apply these manual updates often means many organisations don’t apply them at all – leaving them exposed to threats.
Background: What are Critical Patch Updates?
The Critical Patch Updates are collections of security fixes for Oracle products, and are released on the Tuesday closest to the 17th day of January, April, July and October. The most recent one was released on the 19th July 2018 and the next 4 dates are (Source: Oracle website accessed 03/10/18):
- 16 October 2018
- 15 January 2019
- 16 April 2019
- 16 July 2019
But since the release of the Critical Patch Update on the 19th July 2018, Oracle has released a security alert for CVE-2018-11776.
These security alerts are released by Oracle, where the vulnerability fix is too important to wait for inclusion in their next Critical Patch Update. The Oracle Security Alert for CVE-2018-11776 was issued on the 31st August 2018. This alert addresses a vulnerability in Apache Struts 2, where an unauthenticated remote code execution attack can be performed leading to a complete compromise of the system.
Apache Struts 2 is an open-source web application framework for developing Java Enterprise Edition web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model–view–controller (MVC) architecture and is included as part of the Apache Web Server technology
Customers who have a valid support and maintenance agreement with Oracle will have received this security alert, but how many customers will have implemented the solution by now? Time is required to apply the fix to a test environment, then the pre-production environment before it is finally applied to the production environment. Let’s not forget the planning and testing around this as well, which adds more time, before those customers have addressed the vulnerability.
Is there a better way?
At Support Revolution, our customers are protected using our Advance Security Solution from Trend Micro. This solution creates a firewall around your servers hosting the Oracle Databases from vulnerabilities at server level. Our solution is far more responsive and does not require any downtime to patch the fixes, and if a major threat is detected the fix can be applied in as little as 12 hours.
In this security alert for CVE-2018-11776, our customers were protected immediately by our Advance Security Solution, as soon as the threat was identified on the 22nd August 2018, by the Apache Software Foundation. If our customers had waited to apply the Oracle patch, then they would still be vulnerable.
Are your systems at risk? Contact us today to find out more about our Advance Security Solution, and how we can save you up to 90% on Oracle support and maintenance.