Apache Struts is an open source framework for developing web applications in the Java programming language which is used by enterprises globally, like Vodafone, Lockheed Martin, Virgin Atlantic, and the IRS.
A critical remote code execution vulnerability is present in the popular Apache Struts web application framework. If this flaw is exploited hackers can run malicious code on the affected servers.
The vulnerability is CVE-2018-11776; it is present in the core of Apache Struts and originates because of insufficient validation of user-provided untrusted inputs in the core of the Struts framework under certain configurations.
CVE-2018-11776 exploit can be run just by visiting a specially crafted URL on the affected web server, which gives hackers the chance to execute malicious code to take complete control over the targeted server.
All applications that use Apache Struts—(Struts 2.3 to Struts 2.3.34, and Struts 2.5 to Struts 2.5.16) and even some unsupported Apache Struts versions—are vulnerable to this flaw.
In order to stay away from any threats like this, we recommend the install of antivirus for Windows or antivirus for Mac on every device that you own, depending on which OS your device is running.
If you are a company, it is also recommended to hire every year a specialized cybersecurity company that will run annual tests on your company’s network. These tests include penetration testing and ethical hacking tests;
To be more precise your Apache Struts implementation is vulnerable to the RCE flaw if the following conditions are true:
• The alwaysSelectFullNamespace flag is set to true in the Struts configuration.
• Struts configuration file contains an “action” or “URL” tag that does not specify the optional namespace attribute or specifies a wildcard namespace.
This is a very critical flaw and it must be treated with extreme caution and care; let’s not forget that less than a year ago, credit rating agency Equifax exposed personal details of its 147 million consumers due to their failure of patching a similar Apache Struts flaw that was disclosed earlier that year (CVE-2017-5638). The breach cost the company over $600 million in losses.
Apache Struts has fixed the vulnerability with the release of Struts versions 2.3.35 and 2.5.17. Organizations and developers who use Apache Struts must urgently upgrade their Struts components.
We would continue to monitor this cyber attack. Meanwhile, users should keep a keen eye out for any cyber attacks. Remember to use an antivirus for Windows or antivirus for Mac in every device that you own, depending on which OS your machine is running, If you are a company we recommend to hire every year a specialized cybersecurity company that will run annual tests on your company’s network, tests like this include: penetration testing and ethical hacking.