Cisco has initiated a mass security audit of all its products that incorporate a version of the Apache Struts framework, recently affected by a series of vulnerabilities, one of which is under active exploitation.
Cisco engineers will test all the software products for four Apache Struts security bugs disclosed last week.
The first Cisco security advisory is for a Struts security announcements issued on September 5 that accompanied the release of Apache Struts 2.5.13, which fixed three flaws: CVE-2017-9804, CVE-2017-9805, and CVE-2017-9793.
The second Cisco advisory is for Struts 2.3.34, released on September 7, which patched CVE-2017-12611, a Struts remote code execution flaw that grants attackers control over remote servers.
Of all these four vulnerabilities, CVE-2017-9805 is the only one rated critical due to its severity and relative ease of exploitation.
"To date, our systems have successfully blocked thousands of attacks from all over the world with China, as usual in Apache Struts vulnerabilities, identified as the most prominent source of attacks," Nadav Avital, Imperva security researcher noted last week.
As Cisco investigation progresses, the company promised patches that integrate the Struts updates into its proprietary technology.
Some of the most known software products Cisco is reviewing include the WebEx Meetings Server, the Data Center Network Manager, Identity Services Engine (ISE), several Cisco Prime products, and some products for video and streaming services.
Apache Struts is an open-source MVC framework coded in Java that is often used to build complex products such as servers and enterprise applications. An estimated 65% of Fortune 100 companies use Struts for their infrastructure.
Earlier this year, researchers discovered an Apache Struts zero-day used in live attacks, that was later used to install ransomware on corporate servers. This flaw — CVE-2017-5638 — is not included in the recent Cisco security audits.