Have you applied the latest Oracle security patch for CVE-2018-11776?

Oracle releases security alerts in between its quarterly critical patch updates to shore up issues in its systems. They are NOT automatically applied for you so you could be vulnerable.

The latest Oracle security alert (a vulnerability in Apache Struts 2) was released on the 31 August so your systems were at risk for over a month.

This security alert addresses CVE-2018-11776. It is rated more serious than the flaw that let hackers steal 200,000 credit card details from Equifax.

Even though Oracle released its fix on 31 August, it is likely that most customers are still vulnerable. Organisations need to apply patches to test and pre-production systems, and then complete acceptance testing before going live. The time and effort required to apply manual updates often means many organisations don’t apply them at all. This leaves them exposed to threats.

What are critical patch updates?

Critical patch updates are collections of security fixes for Oracle products, released on the Tuesday closest to the 17th day of January, April, July, and October. The most recent one was released in July and the next four dates are (Source: Oracle website accessed 03/10/18):

  1. 16 October 2018
  2. 15 January 2019
  3. 16 April 2019
  4. 16 July 2019

But since the release of the last critical patch update on the 19 July 2018, Oracle has released a security alert for CVE-2018-11776.

Security alerts are released by Oracle when the vulnerability fix is too important to wait for inclusion in the next critical patch update. The Oracle security alert for CVE-2018-11776 was issued on the 31 August 2018. This alert addresses a vulnerability in Apache Struts 2. It allows an unauthenticated remote code execution attack leading to a complete compromise of the system.

Apache Struts 2 is an open-source web application framework for developing Java Enterprise Edition web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model–view–controller (MVC) architecture. It is included as part of the Apache Web Server technology.

Customers who have a valid support and maintenance agreement with Oracle will have received this security alert, but how many customers will have implemented the solution by now? Time is required to apply the patch to a test environment, then the pre-production environment, before it is finally applied to the production environment. Let’s not forget the planning and testing around this as well, which adds more time.

Is there a better way?

At Support Revolution, our customers are protected with our Trend Micro Deep Security solution. This solution creates a firewall around estate, protecting it from vulnerabilities at the server level. Our solution is far more responsive and does not require any downtime to patch the fixes. If a major threat like CVE-2018-11776 is detected, the fix is applied in as little as 12 hours.

In this case, our customers were protected when the threat was identified on the 22 August 2018 by the Apache Software Foundation. Their systems would remain vulnerable if they had waited to apply the Oracle patch.

Are your systems at risk? Click the button below to find out about our Trend Micro Deep Security solution, and how we can save you at least 50% on Oracle Support.

[ivory-search id="29433" title="Default Search Form"]