A critical remote code execution vulnerability in Apache Struts, a popular open source web application software framework, allows hackers to take over targeted machines in attacks.
Tuesday’s vulnerability is credited to insufficient validation of untrusted user data in the core of Struts. The announcement provoked a worried response from information security experts:
100% reliable RCE that where vulnerable targets are probably enumerable via Shodan… PATCH THIS. https://t.co/xj6yJjyjtk
— Dino A. Dai Zovi (@dinodaizovi) August 22, 2018
The new Struts vulnerability was identified in April by Man Yue Mo from the Semmle Security Research Team. It was patched in June and publicly announced on Tuesday. Apache Struts users are urged to patch immediately.
“Critical remote code execution vulnerabilities like the one that affected Equifax and the one we announced today are incredibly dangerous for several reasons: Struts is used for publicly-accessible customer-facing websites, vulnerable systems are easily identified, and the flaw is easy to exploit,” said Pavel Avgustinov, a co-founder at Semmle.
“A hacker can find their way in within minutes, and exfiltrate data or stage further attacks from the compromised system. It’s crucially important to update affected systems immediately; to wait is to take an irresponsible risk.”
An Apache Struts vulnerability was famously a key reason for the 2017 Equifax breach leading to the theft of data of 148 million people and potentially cost upwards of $600 million, according to the company.
Soon after the public announcement of the vulnerability used against Equifax, hackers attempted to use the vulnerability more widely including against U.S. government targets like the Pentagon.
“The vulnerability that took down Equifax last year when it was released in March, we had a nation-state actor within 24 hours scanning looking for unpatched servers within the DoD,” David Hogue, a senior technical director for the NSA’s Cybersecurity Threat Operations Center (NCTOC), said earlier this year.