A severe security vulnerability in server software allows hackers to remotely execute malicious code in unpatched software protecting a wide swath of the richest private enterprises in the world.
Apache Struts, an open-source framework for developing Java web applications, was discovered to have a remote code execution vulnerability. Discovered using lgtm, a free software engineering analytics tool launched last year, All web apps using Struts’ REST plugin are vulnerable. The 2.5.13 patch for Struts that addresses the issue, which launched just under two months after first disclosure, was released on Tuesday.
Experts recommend patching immediately, but the challenges and typical speed of that process, especially in large enterprises, suggest it could be some time before all the firms involved have secured their systems.
“The Struts framework is used by an incredibly large number and variety of organizations,” Man Yue Mo, an lgtm security researcher who discovered the vulnerability, said. “This vulnerability poses a huge risk, because the framework is typically used for designing publicly-accessible web applications. Struts is used in several airline booking systems as well as a number of financial institutions who use it in internet banking applications. On top of that, it is incredibly easy for an attacker to exploit this weakness: all you need is a web browser.”
A hacker only needs to send a specific request to a vulnerable web application to exploit the hole in the way Struts “deserializes” or parses untrusted data.
“This is as serious as it gets,” Oege de Moor, CEO of Semmle, the firm that owns lgtm, explained. “If remote attackers are allowed to exploit the newly identified vulnerability it can critically damage thousands of enterprises. In the spirit of open source, we want to make sure that the community and industry are aware of these findings as we help uncover critical issues in large numbers of open-source projects. Working with Apache Struts, they were extremely responsive and immediately came up with a clear remediation path.”
With a mind toward the severity of the issue and the ease with which it can be exploited, some specific technical details of the vulnerability are being held back for several weeks to give organizations a chance to patch and secure their systems.