Apache Struts Fixes Remote Attack Hole

Wednesday, September 6, 2017 @ 11:09 AM gHale

A critical vulnerability in Apache Struts means any server running an app built using the framework is now susceptible to remote attackers.

The vulnerability is easily exploited by sending a specially crafted web request to the application, said SANS ISC handler Adrien de Beaupre.

Locky Ransomware Back with Gusto
Ransomware has Manufacturing Focus
Users Learning, But Ransomware Still a Problem
Ransomware Shuts Down SMBs

In addition, de Beaupre said a working exploit has already been spotted.

Researchers discovered the flaw (CVE-2017-9805) during a static code analysis with software code exploration provider Semmle.

“This particular vulnerability allows a remote attacker to execute arbitrary code on any server running an application built using the Struts framework and the popular REST communication plugin. The weakness is caused by the way Struts deserializes untrusted data,” said Bas van Schaik, a product manager at Semmle in a post.

Click here for more technical details on the vulnerability.

All versions of Struts since 2008 are affected.

The team notified the Apache Software Foundation about it in July, and on Tuesday the foundation pushed out a new version of Struts (v2.5.13)

The researchers have yet to publish PoC code, but someone else apparently already created and released a working exploit.

It is estimated around 65 percent of all Fortune 100 companies are actively using web applications built with the Struts framework.

De Beaupre said disabling access to the REST API used by Struts could be a temporary risk mitigation step until the organization is ready to upgrade to the fixed version.

Leave a Reply

You must be logged in to post a comment.