Users of the web application platform should update now
A critical vulnerability found on the popular web application platform Apache Struts can easily be exploited by attackers to takeover a target’s system, security researchers warned.
Announcing the flaw, the Apache Software Foundation, creators of the open-source platform, said those operating any version of Apache Struts 2 ran the risk of remote code execution (RCE) when “using results with no namespace and in same time” or if “upper action(s) have no or wildcard namespace”.
The company immediately released a patch, adding that users who did not update would also be in danger “when using url tag which doesn’t have value and action set”.
Apache Struts is used by the majority of Fortune 100 companies, all of which could have data stolen or experience further attacks on their network after having just one system compromised. The public accessibility of the platform also makes the flaw particularly straightforward for attackers to exploit.
“This vulnerability affects commonly-used endpoints of Struts, which are likely to be exposed, opening up an attack vector to malicious hackers,” said Man Yue Mo, a security researcher at software firm Semmle, who first discovered the issue.
“On top of that, the weakness is related to the Struts OGNL language, which hackers are very familiar with, and are known to have been exploited in the past.”
A previous flaw within Apache Struts in 2017 made headlines after the credit reporting agency Equifax failed to update their software – despite a patch having been released. This resulted in 147.9 million people having their data exposed, and what is likely one of the most expensive data breaches in corporate history.
Leading corporations, however, still maintain vulnerable systems, with Fortune reporting that 57% of Fortune Global 100 companies run insecure versions of Apache Struts.