CVE-2017-9805 Apache CVE debrief

Who should care

Organizations that run Apache Struts, as well as vulnerability management, application owners, and incident response teams responsible for patching and exposure review.

Technical summary

The official record describes the issue as deserialization of untrusted data in Apache Struts. The CISA KEV entry confirms it is a known exploited vulnerability and points defenders to vendor updates. Because the supplied record does not include a CVSS score, prioritization should lean on KEV status, asset exposure, and whether the application processes untrusted input.

Defensive priority

High. CISA lists this CVE in KEV, so affected Apache Struts deployments should be prioritized for inventory and remediation.

Recommended defensive actions

• Inventory all Apache Struts deployments and identify any systems that may be affected.
• Follow vendor guidance and apply the recommended updates as soon as possible.
• Prioritize exposed or business-critical applications for remediation first.
• Verify remediation after patching and confirm the vulnerable component is no longer present.
• Review monitoring, logging, and incident response readiness for signs of abuse on affected systems.

Evidence notes

This debrief is based only on the supplied CISA KEV metadata and the official CVE/NVD/CISA links. The KEV record names Apache Struts as the affected product, classifies the issue as deserialization of untrusted data, lists dateAdded as 2021-11-03 and dueDate as 2022-05-03, and states requiredAction: Apply updates per vendor instructions. The supplied data does not include a CVSS score.

Official resources