Critical Apache Struts vulnerability menaces enterprises

Researchers have discovered a remotely exploitable vulnerability in the Java-based Apache Struts open source web application development framework.

Open source software project analytics firm Lgtm researcher Man Yue Mo said the vulnerability in Struts stems from unsafe deserialisation - or taking data from a certain format and rebuilding it as an object - in the Java programming language.

He was reluctant to provide full details of the flaw due to the seriousness of the vulnerability, but said exploiting it is trivial through the Struts representational state transfer (REST) plug-in. 

"It is incredibly easy to for an attacker to exploit this weakness: all you need is a web browser," Man said.

Struts is a popular framework, with an estimated two-thirds of Fortune 100 companies such as Lockheed Martin, Citigroup, Vodafone, Virgin Atlantic and others using it to develop web applications.

It is used for several airline booking systems as well as in internet banking applications.

The flaw was reported to Apache Struts developers in July, with a patched version of the framework released today.

Users are advised to upgrade to Struts version 2.5.13 immediately. The patched version also addresses two other security issues that can be exploited for denial of service attacks.

In March a vulnerability in the Struts Jakarta multipart parser was found to be under active exploitation by attackers worldwide.

A month later, Australian software vendor Atlassian had to reset all passwords for its Hipchat communications platform after it was hacked via the Struts vulnerability and user data was accessed.