Critical Apache Struts vulnerability menaces enterprises

By

Users advised to upgrade immediately.

Researchers have discovered a remotely exploitable vulnerability in the Java-based Apache Struts open source web application development framework.

Critical Apache Struts vulnerability menaces enterprises

Open source software project analytics firm Lgtm researcher Man Yue Mo said the vulnerability in Struts stems from unsafe deserialisation - or taking data from a certain format and rebuilding it as an object - in the Java programming language.

He was reluctant to provide full details of the flaw due to the seriousness of the vulnerability, but said exploiting it is trivial through the Struts representational state transfer (REST) plug-in. 

"It is incredibly easy to for an attacker to exploit this weakness: all you need is a web browser," Man said.

Struts is a popular framework, with an estimated two-thirds of Fortune 100 companies such as Lockheed Martin, Citigroup, Vodafone, Virgin Atlantic and others using it to develop web applications.

It is used for several airline booking systems as well as in internet banking applications.

The flaw was reported to Apache Struts developers in July, with a patched version of the framework released today.

Users are advised to upgrade to Struts version 2.5.13 immediately. The patched version also addresses two other security issues that can be exploited for denial of service attacks.

In March a vulnerability in the Struts Jakarta multipart parser was found to be under active exploitation by attackers worldwide.

A month later, Australian software vendor Atlassian had to reset all passwords for its Hipchat communications platform after it was hacked via the Struts vulnerability and user data was accessed.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

Qantas facing 'significant' data theft after cyber attack

Qantas facing 'significant' data theft after cyber attack

Home Affairs officer accessed data on "friends and associates"

Home Affairs officer accessed data on "friends and associates"

International Criminal Court hit by cyber attack

International Criminal Court hit by cyber attack

Ex-student charged over Western Sydney University cyberattacks

Ex-student charged over Western Sydney University cyberattacks

Log In

  |  Forgot your password?