Oracle Feels Effects of Apache Struts Flaw

Tuesday, September 4, 2018 @ 06:09 PM gHale

Oracle said some of its products suffer from the Apache Struts 2 vulnerability that has been undergoing exploitation.

The vulnerability, discovered in the open source development framework by Semmle researcher Man Yue Mo, has a case number of CVE-2018-11776 and it has been classified as critical.

RELATED STORIES
Oracle Fixes More Spectre, Meltdown Issues
Oracle Access Manager Cyrptographic Hole
Attack Group Targets Healthcare, Manufacturing
How to Start a Security Program

It allows an unauthenticated attacker to remotely execute arbitrary code on a targeted server by sending it a specially crafted request.

The existence of the flaw was disclosed August 22, and despite the availability of only limited technical information, proof-of-concept (PoC) exploits emerged within days.

On August 27, security firms started seeing attempts to find vulnerable Apache Struts 2 installations, and even attempts to exploit the security hole.

Oracle notified customers of CVE-2018-11776 on Saturday and warned that Apache Struts 2 is a component of several of its product distributions. However, the company noted that not all products incorporating Struts 2 are necessarily vulnerable.

“When the alwaysSelectFullNamespace option is enabled in a Struts 2 configuration file, and an ACTION tag is specified without a namespace attribute or a wildcard namespace, this vulnerability can be used to perform an unauthenticated remote code execution attack which can lead to a complete compromise of the targeted system,” Oracle said in its advisory.



Leave a Reply

You must be logged in to post a comment.