Wall Street
September 7, 2017 by

Critical Security Flaw Leaves 65% of Fortune 100 Firms Vulnerable

A newly discovered critical security vulnerability in popular open-source framework Apache leaves sensitive corporate data at risk.

First reported by ZDNet, the vulnerability affects multiple versions of the Apache Struts REST plugin all the way back to 2008. The vulnerability allows an attacker to compromise servers by remotely running applications using the REST plugin developed with Apache Struts, researchers revealed.

Apache Struts is commonly used by Fortune 100 companies to power both back-end and front-end applications.

Bas van Shaik, a product manager for researchers at LGTM wrote:

This particular vulnerability allows a remote attacker to execute arbitrary code on any server running an application built using the Struts framework and the popular REST communication plugin.

“I can’t stress enough how incredibly easy this is to exploit,” the cybersecurity researcher added. The vulnerability opens due to the way in which deserializes untrusted data. An attacker could fundamentally exploit the flaw to run any command, remotely, on a targeted Struts server. The attacker could do so even behind a company firewall. While an exploit has been developed by security researchers, it has not been released to ensure that companies are given time to patch their systems.

One analyst determined that at least 65% of all Fortune 100 companies are “actively using” web applications built with the Struts framework. “Organizations like Lockheed Martin, the IRS, Citigroup, Vodafone, Virgin Atlantic, Reader’s Digest, Office Depot, and SHOWTIME are known to have developed applications using the framework,” an excerpt from the announcement read.

A source code fix was released weeks ago before Apache released a full patch on Tuesday to fix the vulnerability.

“It turns out that there is no other way than to announce the vulnerability publicly and stress how important it is that people upgrade their Struts components,” van Schaik added.

Image credit: Wikimedia.

About the author

Image of Author

LIFARS is a digital forensics and cybersecurity intelligence firm based in New York City. LIFARS is ranked as one of the top Digital Forensics and Cyber Investigations companies in 2016 and as one of the top cybersecurity companies in the New York metropolitan area for 2015 on the Cybersecurity 500 – a directory of the hottest and most innovative companies to watch in the cybersecurity industry.