Technology

New critical vulnerability exposes Apache Struts instances to remote attacks

Update your Apache Struts instances now.

August 22, 2018

A critical remote code execution vulnerability in Apache Struts, a popular open source web application software framework, allows hackers to take over targeted machines in attacks.

The vulnerability (CVE-2018-11776) impacts the software, which is used by an estimated 65 percent of Fortune 100 companies and growing.

Tuesday’s vulnerability is credited to insufficient validation of untrusted user data in the core of Struts. The announcement provoked a worried response from information security experts:

100% reliable RCE that where vulnerable targets are probably enumerable via Shodan… PATCH THIS. https://t.co/xj6yJjyjtk

— Dino A. Dai Zovi (@dinodaizovi) August 22, 2018

The new Struts vulnerability was identified in April by Man Yue Mo from the Semmle Security Research Team. It was patched in June and publicly announced on Tuesday. Apache Struts users are urged to patch immediately.

“Critical remote code execution vulnerabilities like the one that affected Equifax and the one we announced today are incredibly dangerous for several reasons: Struts is used for publicly-accessible customer-facing websites, vulnerable systems are easily identified, and the flaw is easy to exploit,” said Pavel Avgustinov, a co-founder at Semmle.

“A hacker can find their way in within minutes, and exfiltrate data or stage further attacks from the compromised system. It’s crucially important to update affected systems immediately; to wait is to take an irresponsible risk.”

An Apache Struts vulnerability was famously a key reason for the 2017 Equifax breach leading to the theft of data of 148 million people and potentially cost upwards of $600 million, according to the company.

Soon after the public announcement of the vulnerability used against Equifax, hackers attempted to use the vulnerability more widely including against U.S. government targets like the Pentagon.

“The vulnerability that took down Equifax last year when it was released in March, we had a nation-state actor within 24 hours scanning looking for unpatched servers within the DoD,” David Hogue, a senior technical director for the NSA’s Cybersecurity Threat Operations Center (NCTOC), said earlier this year.

New critical vulnerability exposes Apache Struts instances to remote attacks

More Like This

House hurtles toward showdown over expiring surveillance tools

Civil society groups press platforms to step up election integrity work

CFPB’s proposed data rules would improve security, privacy and competition

Top Stories

House passes bill to limit personal data purchases by law enforcement, intelligence agencies

Mandiant: Notorious Russian hacking unit linked to breach of Texas water facility

‘Large volume’ of data stolen from UN agency after ransomware attack

More Scoops

If hackers are exploiting the Log4j flaw, CISA says we might not know yet

Backdoor vulnerability in open source tool exposes thousands of apps to remote code execution

Apache alerts developers of remote code execution flaw

Equifax CISO Jamil Farshchi’s three-act, ‘shared fate’ security plan

Over 10,000 companies downloading software vulnerable to Equifax hack

Nation-state hackers attempted to use Equifax vulnerability against DoD, NSA official says

New OWASP Top 10 includes Apache Struts-type vulns, XXE and poor logging

Latest Podcasts

How Troy Hunt knows if you’ve been hacked and Washington tries to understand AI

Why pig butchering is the worst kind of online scam

How the FBI fights ransomware

Rumman Chowdhury on AI red-teaming; a Sisense supply chain attack

Government

Technology

Threats

Geopolitics