A newly discovered critical security vulnerability in popular open-source framework Apache leaves sensitive corporate data at risk.
First reported by ZDNet, the vulnerability affects multiple versions of the Apache Struts REST plugin all the way back to 2008. The vulnerability allows an attacker to compromise servers by remotely running applications using the REST plugin developed with Apache Struts, researchers revealed.
Apache Struts is commonly used by Fortune 100 companies to power both back-end and front-end applications.
Bas van Shaik, a product manager for researchers at LGTM wrote:
This particular vulnerability allows a remote attacker to execute arbitrary code on any server running an application built using the Struts framework and the popular REST communication plugin.
“I can’t stress enough how incredibly easy this is to exploit,” the cybersecurity researcher added. The vulnerability opens due to the way in which deserializes untrusted data. An attacker could fundamentally exploit the flaw to run any command, remotely, on a targeted Struts server. The attacker could do so even behind a company firewall. While an exploit has been developed by security researchers, it has not been released to ensure that companies are given time to patch their systems.
One analyst determined that at least 65% of all Fortune 100 companies are “actively using” web applications built with the Struts framework. “Organizations like Lockheed Martin, the IRS, Citigroup, Vodafone, Virgin Atlantic, Reader’s Digest, Office Depot, and SHOWTIME are known to have developed applications using the framework,” an excerpt from the announcement read.
A source code fix was released weeks ago before Apache released a full patch on Tuesday to fix the vulnerability.
“It turns out that there is no other way than to announce the vulnerability publicly and stress how important it is that people upgrade their Struts components,” van Schaik added.
Image credit: Wikimedia.