UPDATED 22:24 EDT / SEPTEMBER 05 2017

INFRA

Security flaw in Apache Struts exposes web servers to hacking

A critical security flaw in Apache Struts2, the open-source software framework installed on web servers to host applications written in the Java programming language, exposes web services to hacking, according to newly published research.

The flaw, discovered by security firm lgtm.com, allows hackers to run code remotely on servers that run Java applications that utilize REST, a plugin that’s found with Apache Struts installs. The flaw is said to stem from the way Struts “deserializes” untrusted data, a process that involves bad data thrown at the server by a malicious actor getting processed by Struts instead of ignored.

That data can come in different forms — an abuse of application logic, a denial of service attack or the execution of arbitrary code. The result is that it’s an open door which hackers can enter to cause serious harm, including stealing sensitive data or infecting computers with ransomware.

Reports of vulnerabilities on web servers are not unprecedented, but this security flaw affects companies big and small, including an estimated 65 percent of websites hosted by companies on the Fortune 100. Some of the sites named as potentially hosting the vulnerability include Lockheed Martin, the IRS, Citigroup, Vodafone, Virgin Atlantic, Reader’s Digest, Office Depot and SHOWTIME.

According to lgtm.com researcher Man Yue Mo, “Struts is used in several airline booking systems as well as a number of financial institutions who use it in Internet banking applications.” Yue Mo added that taking advantage of the flaw is as simple using a web browser.

The good news is that Apache has addressed the vulnerability with the release of a new version of Struts. However, upgrading to the new version isn’t as simple as simply installing it and expecting Java apps to still work.

“This vulnerability is potentially very damaging due to the large number of sites that rely upon this framework,” an unnamed chief information security officer is quoted by lgtm.com as saying. “Coupled with the complexities to remediate, as code will have to be changed as opposed to just applying a vendor patch, this has the potential to be worse than the ‘POODLE’ attack was.”

Image: Maxpixel

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU