Security researchers have discovered another critical security flaw in Apache Struts 2, with experts indicating that it could lead to a breach on a similar scale to the Equifax hack revealed last year.
Man Yue Mo, researcher from Semmle Security Research Team, discovered the remote code execution flaw, which is caused by insufficient validation of untrusted user data. Attackers can exploit the flaw simply by visiting a specific URL on the target server.
The vulnerability, which is designated CVE-2018-11776, affects "all supported versions of Apache Struts 2", and stems from the core of the software, meaning that all implementations are affected regardless of whether or not additional plugins have been enabled.
This latest exploit is particularly worrying due to the popularity and prevalence of Struts. The application development framework, which is used to build Java apps, is deployed extensively by Fortune 500 companies.
There are two criteria that an application must meet in order for it to be vulnerable to this threat, which Semmle's team detailed in a blog post. First, the 'alwaysSelectFullNamespace' flag in the Struts configuration must set to true, which "is automatically the case if your application uses the popular Struts Convention plugin".
Secondly, applications must use "actions that are configured without specifying a namespace, or with a wildcard namespace (e.g. "/*"). This applies to actions and namespaces specified in the Struts configuration file (e.g. ), but also to actions and namespaces specified in Java code if you are using the Struts Convention plugin".
A similar remote code execution flaw in Struts (CVE-2017-5638) was discovered last year. It was this flaw that hackers exploited to steal more than 147 million people's personal details and financial history from Equifax - a breach that occurred months after the flaw was disclosed and patched.
"This vulnerability affects commonly-used endpoints of Struts, which are likely to be exposed," said Mo, the researcher who discovered the flaw, "opening up an attack vector to malicious hackers. On top of that, the weakness is related to the Struts OGNL language, which hackers are very familiar with, and are known to have been exploited in the past."
"On the whole, this is more critical than the highly critical Struts RCE vulnerability that the Semmle Security Research Team discovered and announced last September."
Apache has issued patches to address the flaw, and all users of Struts are being urgently advised to update their systems as soon as possible. Semmle has warned that automated scanning tools will likely be available soon, allowing hackers to quickly scan for and exploit the vulnerability.
"Critical remote code execution vulnerabilities like the one that affected Equifax and the one we announced today are incredibly dangerous for several reasons: Struts is used for publicly-accessible customer-facing websites, vulnerable systems are easily identified, and the flaw is easy to exploit", said Semmle co-founder and vice president of QL engineering Pavel Avgustinov.
"A hacker can find their way in within minutes, and exfiltrate data or stage further attacks from the compromised system. It's crucially important to update affected systems immediately; to wait is to take an irresponsible risk."
-
Google CEO Sundar Pichai says vibe coding has made software development ‘exciting again’News Google CEO Sundar Pichai claims software development has become “exciting again” since the rise of vibe coding, but some devs are still on the fence about using AI to code.
-
15-year-old revealed as key player in Scattered LAPSUS$ HuntersNews 'Rey' says he's trying to leave Scattered LAPSUS$ Hunters and is prepared to cooperate with law enforcement
-
Security experts claim the CVE Program isn’t up to scratch anymore — inaccurate scores and lengthy delays mean the system needs updatedNews CVE data is vital in combating emerging threats, yet inaccurate ratings and lengthy wait times are placing enterprises at risk
-
IBM AIX users urged to patch immediately as researchers sound alarm on critical flawsNews Network administrators should patch the four IBM AIX flaws as soon as possible
-
Critical Dell Storage Manager flaws could let hackers access sensitive data – patch nowNews A trio of flaws in Dell Storage Manager has prompted a customer alert
-
Flaw in Lenovo’s customer service AI chatbot could let hackers run malicious code, breach networksNews Hackers abusing the Lenovo flaw could inject malicious code with just a single prompt
-
Industry welcomes the NCSC’s new Vulnerability Research Initiative – but does it go far enough?News The cybersecurity agency will work with external researchers to uncover potential security holes in hardware and software
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
