Apache Struts 2 vulnerability

Apache Struts 2

The Apache Struts 2 vulnerability may impact you. Proof of concept code has been released on gethub and is actively being discussed in underground forums. No plugins are needed for this exploit. All the attacker needs is put together a url that will give access to the Apache Struts installation.

CVE-2018-11776

Discovered by https://www.recordedfuture.com/

Here is a list of potential Oracle products that could be vulnerable. (this list is not exhaustive and I have not had time to validate every entry on this list)

This vulnerability was discovered August 22, 2018, and I have not been able to find a patch for it. Please do your research, if you are using Apache Struts 2, then keep a close eye for the patch, and once the patch is released, install it.

MySQL Enterprise Monitor, versions 3.2.8.2223 and prior, 3.3.4.3247 and prior, 3.4.2.4181 and prior
Oracle Communications Policy Management, versions 11.5, 12.x
Oracle FLEXCUBE Private Banking, versions 2.0, 2.1, 2.2, 3.0, 12.0, 12.0.1, 12.0.2, 12.0.3, 12.1
Oracle Financial Services Analytical Applications Infrastructure, versions 7.2, 7.3
Oracle Financial Services Analytical Applications Reconciliation Framework, versions 3.5, 3.5.1, 8.0.0 to 8.0.4
Oracle Financial Services Asset Liability Management, versions 6.0.0, 6.1.0, 6.1.1, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5
Oracle Financial Services Basel Regulatory Capital Basic, versions 8.0.0 to 8.0.4
Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach, versions 8.0.0 to 8.0.4
Oracle Financial Services Data Foundation, versions 7.3.0, 7.4.0, 8.0.0 to 8.0.5
Oracle Financial Services Data Integration Hub, versions 8.0.1 to 8.0.4
Oracle Financial Services Enterprise Financial Performance Analytics, versions 8.0.0 to 8.0.5
Oracle Financial Services Funds Transfer Pricing, versions 6.0.0, 6.1.0, 6.1.1, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5
Oracle Financial Services Hedge Management and IFRS Valuations, versions 6.1.1, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5
Oracle Financial Services ICAAP Analytics, version 8.0
Oracle Financial Services Institutional Performance Analytics, versions 8.0.0 to 8.0.5
Oracle Financial Services Liquidity Risk Management, versions 8.0.1, 8.0.2, 8.0.4
Oracle Financial Services Loan Loss Forecasting and Provisioning, versions 1.5.0, 1.5.1, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5
Oracle Financial Services Pricing Management, Transfer Pricing Component / Oracle Financial Services Price Creation and Discovery, versions 8.0.0 to 8.0.5
Oracle Financial Services Profitability Management, versions 6.0.0, 6.1.0, 6.1.1, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5
Oracle Financial Services Retail Customer Analytics, versions 8.0.0 to 8.0.5
Oracle Financial Services Retail Performance Analytics, versions 8.0.0 to 8.0.5
Oracle Insurance Data Foundation, versions 8.0.0 to 8.0.5
Oracle Insurance Performance Insight for General Insurance, version 8.0
Oracle Retail XBRi Loss Prevention, versions 10.0.1, 10.5.0, 10.6.0, 10.7.0, 10.8.0, 10.8.1
Siebel Applications, versions 6.1, 6.2, 7.1
WebLogic Server, versions 10.3.6.0, 12.1.3.0, 12.2.1.0, 12.2.1.1, 12.2.1.2, 12.2.1.3
This entry was posted in infosec by rlockard. Bookmark the permalink.

About rlockard

Robert Lockard is a professional Oracle Designer, Developer and DBA working in the world of financial intelligence. In 1987 his boss called him into his office and told him that he is now their Oracle Wizard then handed him a stack of Oracle tapes and told him to load it on the VAX. Sense then, Robert has worked exclusively as an Oracle database designer, developer and Database Administrator. Robert enjoys flying vintage aircraft, racing sailboats, photography, and technical diving. Robert owns and fly’s the “Spirit of Baltimore Hon” a restored 1948 Ryan Navion and lives in Glen Burnie Maryland on Marley Creek

Welcome to oraclewizard