Patch Released for Apache Struts Bug
The Apache Struts Software Foundation has released an update to its open-source web application framework to fix a critical remote code execution vulnerability that allows attackers to seize control of any server running REST applications built with its product, even those protected by firewalls.
This bug affects all versions of the popular application development framework Struts since 2008. Semmle, a software engineering analytics firm that first identified the bug, advises users to upgrade their Apache Struts components to Apache Struts version 2.5.13.
Semmle states that this most recent vulnerability is caused by the way that Struts deserializes untrusted data. Deserialization is the processes of taking structured data from one format and rebuilding it into an object. This process can be tweaked for malicious intent and has been used frequently in denial-of-service attacks.
Multiple similar vulnerabilities have been reported and tied to Struts. Earlier this year, there was a critical Apache Struts vulnerability on Windows servers that was exploited to drop Cerber ransomware on the machines.
If you have questions about this vulnerability and want to ensure that your environment is being proactively monitored, maintained and managed then it’s time for a conversation with our experts.