A severe remote code execution vulnerability has been sitting unnoticed in the Apache Struts web-app development framework for nine years, a flaw that researchers say threatens critical systems in banks, airlines, and many other organizations.
The vulnerability lies in the way that the Struts framework handles untrusted data and researchers at lgtm, the company that discovered the bug, say that it can be exploited on any server running an app built with a vulnerable version of Struts. The Apache Software Foundation, which maintains Struts, has released a fix for the bug, in Struts 2.5.13.
“The Struts framework is used by an incredibly large number and variety of organizations. This vulnerability poses a huge risk, because the framework is typically used for designing publicly-accessible web applications. Struts is used in several airline booking systems as well as a number of financial institutions who use it in internet banking applications,” said Man Due Mo, one of the researchers who discovered the flaw.
“On top of that, it is incredibly easy for an attacker to exploit this weakness: all you need is a web browser. Organizations who use Struts should upgrade their components immediately.”
There’s no way of knowing how many apps are online that were built with vulnerable versions of Struts, but lgtm said analysts estimate that 65 percent of the Fortune 100 companies use Struts.
“This is as serious as it gets; if remote attackers are allowed to exploit the newly identified vulnerability it can critically damage thousands of enterprises. In the spirit of open source, we want to make sure that the community and industry are aware of these findings as we help uncover critical issues in large numbers of open-source projects,” said Oege de Moor, CEO of Semmle, the parent company of lgtm.
Exploit code for the Struts vulnerability has been added to the Metasploit framework, adding even more urgency to the installation of the fixed version.