The Apache Software Foundation issued an urgent patch Tuesday for a serious vulnerability in Struts 2 that allows hackers to execute remote code on servers and websites.

The vulnerability, CVE-2018-11776, discovered by Semmle Ltd. security researcher Man Yue Mo, is the result of insufficient validation of untrusted user data injected into the core Struts framework.

Affecting all supported versions of Apache Struts 2, the vulnerability is described as providing “a hacker with an entry point into your corporate networks, and can put both infrastructure and data at risk.”

Tim Mackey, technology evangelist at Synopsys Inc., told SiliconANGLE that the researcher looked at prior remote code execution vulnerabilities within Struts to determine if there was a coding pattern that led to them.

“Developers commonly use libraries of code, or development paradigms which have proven efficient, when creating new applications or features,” Mackey said. “This attribute is a positive when the library or paradigm is of high quality, but when a security defect is uncovered this same attribute often leads to a pattern of security issues.”

In this case, he added, the root cause was a lack of input validation on the URL passed to the Struts framework. “Unlike CVE-2018-11776, prior vulnerabilities were all in code within a single functional area of the Struts code,” Mackey explained. “This meant that developers familiar with that functional area could quickly identify and resolve issues without introducing new functional behaviors. CVE-2018-11776 operates at a far deeper level within the code which in turns requires a deeper understanding of not only the Struts code itself, but the various libraries used by Struts. It is this level of understanding which is of greatest concern – and this concern relates to any library framework.”

Image: Apache