In the Apache Struts framework, a vulnerability was found that allows executing arbitrary code on the server where the web application created with this framework is running. Apache Struts is used in 65% of the world's largest Fortune 100 companies, especially it is popular with airlines and financial institutions.
Vulnerability in Apache Struts.
Cyber ??security researchers from the LGTM community have discovered a critical vulnerability in Apache Struts, a popular open source platform for developing Java Web applications. Vulnerability is present in all versions of Struts since 2008. It was noticed in version 2. 13. The bug affects web applications created with Apache Struts and using the REST plug-in. The vulnerability was called CVE 2017-9805. The Apache Struts development team confirmed the severity of the problem and has already released a patch.
This vulnerability allows an attacker to remotely execute arbitrary code on any server where an application built using Apache Struts and the REST plug-in is running. The problem is that Apache Struts incorrectly deserializes the untrusted data. During the attack, a hacker can collect data on the server and send them wherever he wishes. Also, the server can be used as an access point to other parts of the same network, and corporate firewalls can not protect them.
According to the researcher Man Yue Mo, who discovered a bug, it's extremely simple to use - a hacker is enough for a normal web browser. The LGTM team reports that they have a simple working exploit for this vulnerability, which they do not yet publish.
Zone of defeat.
Researcher Fintan Ryan from analytical firm RedMonk claims that at least 65% of the largest companies included in the Fortune 100 rating are actively using applications created with Apache Struts. It is well known that such applications are in the airplane company Lockheed Martin, financial conglomerate Citigroup, cellular operator Vodafone, airline Virgin Atlantic, popular American magazine Reader's Digest, supplier of office supplies Office Depot, Showtime and even the US Internal Revenue Service.
According to Man Yu Mo, applications based on Apache Struts are especially widely used in air ticket purchase services, as well as in financial institutions. The head of the security service of the bank using the standard Tier 1 confirmed by the LGTM team confirmed that Apache Struts is widely used on websites and applications and that it will not be enough simply to apply the patch to solve the problem,. According to him, the consequences of using this bug may be worse than the sensational vulnerability of Poodle, found in the SSL protocol 3. 0 in 2014 g.
What is Apache Struts?.
Apache Struts is an open source framework that uses Java EE web applications. The framework is based on the Java Servlet API and provides an implementation of the MVC pattern. Apache Struts was developed by Craig McClanahan, the Apache Foundation received it in May 2000. Originally developed within the framework of the Apache Jakarta Project and was called Jakarta Struts. In the year 2005. became a top-level Apache project.
Struts was created to separate the model, that is, the application logic that interacts with the database, from the presentation of the HTML page and from the controller that passes data between the view and the model.
Apache Struts has a branch - the WebWork framework of the same architecture, but with a number of improvements. In December of 2005. It was announced that Struts will again unite with WebWork. WebWork 2. 2 was designated as Apache Struts 2, released in February 2007.