The flaw in Struts, a popular open-source framework for developing Web applications in the Java programming language, can be exploited remotely and all versions since 2008 are affected, according to a security advisory posted by lgtm's Bas van Schaik.
The flaw that has been found would allow attackers to run code on servers that use the REST plugin.
The issue has been estimated to affect organisations like Lockheed Martin, the US Internal Revenue Service, Citigroup, Vodafone, Virgin Atlantic, Reader’s Digest, Office Depot, and SHOWTIME all of which are known to have developed applications using the framework, according to van Schaik.
"Struts is used in several airline booking systems as well as a number of financial institutions who use it in internet banking applications. On top of that, it is incredibly easy for an attacker to exploit this weakness: all you need is a Web browser. Organisations who use Struts should upgrade their components immediately."
A full patch was released on Tuesday that the Struts project says will fix the vulnerability. The project is urging users to upgrade to the latest version — 2.5.13 — immediately.
This is the second time that a flaw in Struts has been found in 2017. In March, threat intelligence firm Talos released details of a zero-day vulnerability, a remote code execution bug in the Jakarta Multipart parser of Apache Struts. The RCE was possible when uploading files based on the parser.