Oracle Security Alert Advisory - CVE-2017-9805


The Apache Foundation’s fixes for CVE-2017-5638, an Apache Struts 2 vulnerability identified by Equifax in relation to Equifax’s recent security incident, were distributed by Oracle to its customers in the April 2017 Critical Patch Update, and should have already been applied to customer systems.

Subsequent to the Equifax breach, the Apache Foundation released fixes for a number of additional Apache Struts 2 vulnerabilities (CVE-2017-9805, CVE-2017-7672, CVE-2017-9787, CVE-2017-9791, CVE-2017-9793, CVE-2017-9804, and CVE-2017-12611). Oracle is distributing these fixes as part of this Security Alert for the benefit of our customers.

Oracle strongly recommends that the fixes contained in this Security Alert be applied without delay.

Please note that the vulnerabilities in this Security Alert are scored using version 3.0 of Common Vulnerability Scoring Standard (CVSS).

This Security Alert is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available at:

Security Alert Supported Products and Versions

Patches released through the Security Alert program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. We recommend that customers plan product upgrades to ensure that patches released through the Critical Patch Update program are available for the versions they are currently running.

Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Security Alert. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.

Supported Database, Fusion Middleware, Oracle Enterprise Manager Base Platform (formerly "Oracle Enterprise Manager Grid Control") and Collaboration Suite products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.

Products in Extended Support

Patches released through the Security Alert program are available to customers who have Extended Support under the Lifetime Support Policy. Customers must have a valid Extended Support service contract to download patches released through the Security Alert program for products in the Extended Support Phase.


Affected Products and Versions

Please Refer to Security Alert CVE-2017-9805 Products and Versions for a list of Oracle products and versions that are affected by this vulnerability. The Security Alert CVE-2017-9805 Products and Versions page may be updated if new information becomes available.

Modification History

Date Note
2017-September-22 Rev 1. Initial Release.

Appendix - Third Party Components Risk Matrix

Third Party Components Risk Matrix Executive Summary

This Security Alert addresses CVE-2017-9805 and other vulnerabilities identified by CVEs in the notes below.  This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

Third Party Components Risk Matrix

CVE# Product Component Protocol Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Attack Vector Attack Complexity Privs­Req'd User Interact Scope Confid­entiality Inte­grity Avail­ability
CVE-2017-9805 Apache Struts 2 REST Plugin HTTP Yes 9.8 Network Low None None Un- changed High High High 2.5.12 and before
2.3.33 and before

Additional CVEs addressed are below:

  • The fix for CVE-2017-9805 also addresses CVE-2017-12611, CVE-2017-7672, CVE-2017-9787, CVE-2017-9791, CVE-2017-9793, and CVE-2017-9804.