To Customer Support To Customer Support

Apache Struts you're stuffed: Vuln allows hackers to inject evil code into biz servers

  • 5 September 2017
  • 2 replies
  • 531 views
Jasper_The_Rasper
Rank
Userlevel 7
Badge +54

All versions of Struts since 2008 affected – upgrade now

By John Leyden 5 Sep 2017 

 
Malicious code can be push into servers running Apache Struts 2 apps, allowing scumbags to run malware within corporate networks.
 
The critical security vulnerability was discovered by researchers at Semmle, who today went public with their find. Apache Struts is a popular open-source framework for developing applications in Java.
 
All versions of Struts since 2008 are affected and all web applications using the framework’s popular ?REST plugin are? ?vulnerable – exposing organizations and projects to hacker hijackings. Developers are advised to patch Apache Struts to version 2.5.13, which was released today.
 
Full Article.

2 replies

Jasper_The_Rasper
Rank
Userlevel 7
Badge +54
September 6th, 2017  By Paul Ducklin
 
It seems only yesterday – in fact, it was six months ago – that we wrote about a nasty security hole in Apache Struts.
 
Unfortunately, it’s time for déjà vu all over again, with a similar sort of hole that can apparently be exploited in a similar way.
 
To explain.
 
Apache Struts is a software toolkit for creating Java-based web applications that run on your web server.
 
Struts can be used for building internet-facing services such as online shops or discussion forums: with Struts, you can generate web pages on the fly, tailor web content for the current user as they move around on your site, respond to web forms filled in by your visitors, and much more.
 
You can tell where this is going, given that an important part of any web application framework is dealing with the security risks implicit in requesting, acquiring and responding to data that is uploaded by outsiders.
 
And that’s where this Struts bug, known as CVE-2017-9805, comes in.
 
Full Article.
R
Rank
Userlevel 7
Good article and well informed on this issue.

Reply


Terms & Conditions

© 2004 - Webroot Inc.

We have recently updated our Privacy Policies. We encourage you to read the full terms here.