Malicious code can be pushed into servers running Apache Struts 2 apps, allowing scumbags to run malware within corporate networks.
The critical security vulnerability was discovered by researchers at Semmle, who today went public with their find. Apache Struts is a popular open-source framework for developing applications in Java.
All versions of Struts since 2008 are affected and all web applications using the framework’s popular REST plugin are vulnerable – exposing organizations and projects to hacker hijackings. Developers are advised to patch Apache Struts to version 2.5.13, which was released today.
Left unpatched, the flaw allows miscreants to inject malicious code into any server running a Struts application that uses the popular REST communication method, and execute it.
Exploiting the hole is as simple as sending a specially crafted web request to the application. The flaw is a programming blunder in the way Struts processes data from an untrusted source. Specifically, it's an unsafe deserialization in Java similar to a flaw in Apache Commons Collections, discovered by Chris Frohoff and Gabriel Lawrence, back in 2015.
A Semmle team led by Man Yue Mo identified the remote code execution vulnerability (CVE-2017-9805) using static code analysis.
"We strongly advise users of Struts to upgrade to the latest version to mitigate this security risk," said Mo.
"The vulnerability I discovered is a result of unsafe deserialization in Java. Multiple similar vulnerabilities have come to light in recent years, after Chris Frohoff and Gabriel Lawrence discovered a deserialization flaw in Apache Commons Collections that can lead to arbitrary code execution. Many Java applications have since been affected by such vulnerabilities." ®