EXECUTIVE SUMMARY:

A major vulnerability in Apache Struts 2 has businesses racing to patch the software, says Krebs on Security. Apache Struts is a web application platform used by approximately 65 percent of Fortune 100 companies. The last time Apache saw a security flaw this large, 147 million Americans had their personal data exposed in the Equifax breach of 2017.

Computer code that would exploit the flaw has already been posted online, opening doors for hackers to take advantage of unpatched servers.

According to Krebs, the remote code-execution flaw lets an attacker exploit websites running Struts using only a web browser. “The bad guy simply needs to send the right request to the site and the Web server will run any command of the attacker’s choosing,” he writes. “At that point, the intruder could take any number of actions, such as adding or deleting files, or copying internal databases.”

Tara Seals from Threatpost reports that Pavel Avgustinov, vice president of QL Engineering at Semmle where the vulnerability was discovered, underscored the danger in a media statement: “Struts is used for publicly-accessible customer-facing websites, vulnerable systems are easily identified, and the flaw is easy to exploit,” he said. “A hacker can find their way in within minutes, and exfiltrate data or stage further attacks from the compromised system.“

Apache has issued patches for the bug, which affects all versions of Struts 2. Users of Struts 2.3 should upgrade to 2.3.35, and users of Struts 2.5 need to upgrade to 2.5.17.

Get the full story at Krebs on Security.