New vulnerability in Apache Struts allows remote code execution

Exploit code has emerged on the internet to exploit a vulnerability in Apache Struts. The Apache Software Foundation patched the vulnerability this week and companies are advised to update quickly.

For a successful attack, all a malicious person needs to do is send the appropriate request through a browser to a site running a vulnerable Apache Struts installation. That person can then execute code on the server and access files and databases, for example. Not every Apache Struts installation is vulnerable. It depends on the configuration, reports the Semmle security team, which discovered the vulnerability.

The Apache Software Foundation released a patch on Wednesday for the issue, which affects all versions of Struts 2. The update brings Struts 2.3 to version 2.3.35 and Struts 2.5 to 2.5.17. The vulnerability has been designated CVE-2018-11776.

Although the risk of abuse depends on the configuration, companies are advised to update to the latest version as soon as possible. Semmle cites a last year estimate that 65 percent of US Fortune 100 companies use web applications built with the Apache Struts framework. In addition, the company points out that vulnerable installations are easy to find and exploit and that a change in configuration can make an initially secure installation vulnerable.

The seriousness of vulnerabilities in Apache Struts is illustrated by the hack at the American credit rating agency Equifax, a year ago. Criminals managed to access the company’s database through a leak in Apache Struts that had been known for months. As a result, sensitive data of millions of Americans and Britons became public.