Security Market Segment LS
Thursday, 07 September 2017 09:32

Flaw in Apache Struts leaves high-profile companies exposed

By

A vulnerability in the Apache Struts Web application framework has left a large number of high-profile sites open to exploitation, according to researchers at security vendor lgtm.

The flaw in Struts, a popular open-source framework for developing Web applications in the Java programming language, can be exploited remotely and all versions since 2008 are affected, according to a security advisory posted by lgtm's Bas van Schaik.

The flaw that has been found would allow attackers to run code on servers that use the REST plugin.

The issue has been estimated to affect organisations like Lockheed Martin, the US Internal Revenue Service, Citigroup, Vodafone, Virgin Atlantic, Reader’s Digest, Office Depot, and SHOWTIME all of which are known to have developed applications using the framework, according to van Schaik.

Man Yue Mo, one of the researchers who found the flaw, said: "The Struts framework is used by an incredibly large number and variety of organisations. This vulnerability poses a huge risk, because the framework is typically used for designing publicly-accessible Web applications. 

"Struts is used in several airline booking systems as well as a number of financial institutions who use it in internet banking applications. On top of that, it is incredibly easy for an attacker to exploit this weakness: all you need is a Web browser. Organisations who use Struts should upgrade their components immediately."

A full patch was released on Tuesday that the Struts project says will fix the vulnerability. The project is urging users to upgrade to the latest version — 2.5.13 — immediately.

This is the second time that a flaw in Struts has been found in 2017. In March, threat intelligence firm Talos released details of a zero-day vulnerability, a remote code execution bug in the Jakarta Multipart parser of Apache Struts. The RCE was possible when uploading files based on the parser.

BUSINESS WORKS BETTER WITH WINDOWS 1O. MAKE THE SHIFT

You cannot afford to miss this Dell Webinar.

With Windows 7 support ending 14th January 2020, its time to start looking at your options.

This can have significant impacts on your organisation but also presents organisations with an opportunity to fundamentally rethink the way users work.

The Details

When: Thursday, September 26, 2019
Presenter: Dell Technologies
Location: Your Computer

Timezones

QLD, VIC, NSW, ACT & TAS: 11:00 am
SA, NT: 10:30 am
WA: 9:00 am NZ: 1:00 pm

Register and find out all the details you need to know below.

REGISTER!

ADVERTISE ON ITWIRE NEWS SITE & NEWSLETTER

iTWire can help you promote your company, services, and products.

Get more LEADS & MORE SALES

Advertise on the iTWire News Site / Website

Advertise in the iTWire UPDATE / Newsletter

Promote your message via iTWire Sponsored Content/News

Guest Opinion for Home Page exposure

Contact Andrew on 0412 390 000 or email [email protected]

OR CLICK HERE!

Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

VENDOR NEWS & EVENTS

REVIEWS

Recent Comments