Exploit Code Releases for Apache Struts Hole

Monday, August 27, 2018 @ 05:08 PM gHale

There is a critical Apache Struts flaw similar to the one exploited in the Equifax breach, said Apache Software Foundation (ASF) officials.

Along those lines, officials urged organizations and developers to upgrade their installations to versions 2.3.35 or 2.5.17.

RELATED STORIES
Adobe Fixes Flash Zero Day
Fixed Hole Exploited in Iran, Russia
Workaround for Multi Sandbox Bypass Holes
Lessons Learned One Year After Triton

The vulnerability ended up discovered by Semmle security researcher Man Yue Mo.

In lightening quick fashion, proof-of-concept (PoC) code hit the street. Recorded Future researchers found it on GitHub, along with a Python script that allows for easy exploitation.

“Unlike last year’s Apache Struts exploit, which was at the center of the Equifax breach, this vulnerability appears easier to exploit because it does not require the Apache Struts installation to have any additional plugins running in order to successfully exploit it,” Allan Liska, a researcher at Recorded Future, said in a post.

For those that cannot conduct the update immediately, there are mitigations.

“Verify that you have set (and always not forgot to set) namespace (if is applicable) for your all defined results in underlying configurations. Also verify that you have set (and always not forgot to set) value or action for all url tags in your JSPs. Both are needed only when their upper action(s) configurations have no or wildcard namespace,” ASF officials said.



Leave a Reply

You must be logged in to post a comment.