The Apache Software Foundation has patched a critical remote code execution vulnerability affecting all versions of the popular application development framework Struts since 2008.
All web applications using the framework’s REST plugin are vulnerable.
Users are advised to upgrade their Apache Struts components as a matter of urgency, according to Semmle, a software engineering analytics firm that first identified the bug.
“This particular vulnerability allows a remote attacker to execute arbitrary code on any server running an application built using the Struts framework and the popular REST communication plugin. The weakness is caused by the way Struts deserializes untrusted data,” the company wrote in
a technical write-up on the vulnerability published on Tuesday in coordination with the release of a patch by Apache Software Foundation (ASF).
“This is as serious as it gets; if remote attackers are allowed to exploit the newly identified vulnerability it can critically damage thousands of enterprises,” said Oege de Moor, CEO and founder of Semmle.
Affected developers are urged to
upgrade to Apache Struts version 2.5.13.
The ASF said there is no workaround available for the vulnerability (
CVE-2017-9805) in Struts, an open-source framework for developing web applications in the Java programming language.
“The best option (sans an upgrade) is to remove the Struts REST plugin when not used or limit it to server normal pages and JSONs only,” the ASF wrote in a
security bulletin issued Tuesday.
Semmle cites estimates the vulnerability could impact 65 percent of the Fortune 100 companies that use web applications built with the Struts framework.
