Oracle released fixes for a handful of recently patched Apache Struts 2 vulnerabilities, including a critical remote code execution vulnerability (CVE-2017-9805) that could let an attacker take control of an affected system, late last week.
The Apache Software Foundation patched the RCE vulnerability, which affects servers running apps built using the Struts framework and its REST communication plugin, earlier this month.
Scores of Oracle products, roughly two dozen in total, are affected by the vulnerability. Multiple versions of Oracle’s Financial Services product, in addition to its FLEXCUBE Private Banking product, and WebLogic Server, are included in the advisory. A full list of Oracle products and versions affected by the vulnerability can be found here.
Oracle also pushed fixes for six other vulnerabilities on Friday, including CVE-2017-7672, CVE-2017-9787, CVE-2017-9791, CVE-2017-9793, CVE-2017-9804, and CVE-2017-12611.
The United States Computer Emergency Readiness Team (US-CERT) issued an alert around the updates on Monday.
Oracle Patches Apache Vulnerabilities https://t.co/rGy95kxj2E
— CISA Cyber (@CISACyber) September 25, 2017
Oracle used the advisory as an opportunity to remind users that it fixed CVE-2017-5638, the Struts vulnerability behind Equifax’s massive breach of 143 million Americans, back in April with its quarterly Critical Patch Update. The company said the April update should have already been applied to customer systems and encouraged admins to apply the fixes in this month’s advisory without delay.
Equifax meanwhile continues to grapple with the fallout surrounding the breach that allowed an attacker to siphon names, Social Security numbers, birth dates, addresses, and other information from its servers this past summer.
The credit bureau’s chairman and chief executive Richard Smith retired on Tuesday in wake of the breach. In his stead the company said Paulino do Rego Barros Jr., who previously served as president of the company’s Asia-Pacific division, will assume the role of interim chief executive.
Prior to announcing the news, trading of Equifax shares was halted Tuesday morning.
The CEO will forgo his 2017 bonus according to a copy of the retirement agreement between Equifax and Smith posted to the Securities and Exchange Commission. According to the filing Smith will stay on in an unpaid advisory role for at least 90 days. The company says it will defer decisions relating to Smith’s benefits until its Board of Directors completes their independent review of the breach.
“The cybersecurity incident has affected millions of consumers, and I have been completely dedicated to making this right. At this critical juncture, I believe it is in the best interests of the company to have new leadership to move the company forward,” Smith said in a statement Tuesday.
“Our interim CEO, Paulino, is an experienced leader with deep knowledge of our company and the industry. The Board of Directors has absolute confidence in his ability to guide the company through this transition,” Mark Feidler, the Board’s non-executive chairman, said.
Smith’s departure comes a week after the company announced its chief information officer David Webb and chief security officer Susan Mauldin, would also be retiring.
Despite retiring, according to reports Smith is still on track to testify before the Senate Banking Committee next week, on Oct. 4.
Smith will likely get an earful from senators next week, including Mark Warner (D-VA). On Tuesday in a hearing with Securities and Exchange Commission (SEC) Chairman Jay Clayton, Warner called out Equifax, calling the company a “travesty.”
“We have no ability to opt-in to these systems. We are part of these systems whether we like it or not. I’m often asked in my job on the Intelligence Committee what I think the single greatest vulnerability our country faces is, and I believe it’s cybersecurity.” Warner said.
“I think Equifax is a travesty. I think the resignation of the CEO is by no means enough… Number one, in terms of the sloppiness of their defenses. Two, in terms of the fact that this was clearly a knowable vulnerability – they had known for months, and if they had simply put a patch in place we might have precluded this… I question whether Equifax has the right to even continue providing these services with the level of sloppiness and lack of attention to cybersecurity.”