A critical vulnerability found in the Apache Struts could allow hackers to compromise major Fortune 100 firms. Apache Struts is an open-source framework used to develop web applications and is used by businesses across the globe. Companies such as Lockheed Martin, Vodafone, Virgin Atlantic and others are among those that have developed applications using the Apache Struts framework.
According to security experts who detected the flaw, the vulnerability could allow hackers to remotely execute arbitrary code on any server running applications using the REST plugin, developed with Struts.
"The Struts framework is used by an incredibly large number and variety of organizations. This vulnerability poses a huge risk because the framework is typically used for designing publicly-accessible web applications," said Man Yue Mo, a security researcher at LGTM who led the effort to the discovery of the flaw. "Struts is used in several airline booking systems as well as a number of financial institutions who use it in internet banking applications. On top of that, it is incredibly easy for an attacker to exploit this weakness: all you need is a web browser."
According to LGTM researchers, the flaw was caused by the way Struts decentralised untrusted data.
"I can't stress enough how incredibly easy this is to exploit," Bas van Schaik, product manager at Semmle, the firm whose software was used to discover the Struts flaw, told ZDNet. "A creative attacker will have a field day. And even worse: The organization under attack may not even notice until it is well too late."
Schaik also warned that the flaw could allow hackers to steal and even delete sensitive corporate and customer data.
Nearly 65% of Fortune 100 firms are estimated to actively use web applications built with the Apache Struts framework, according to analyst Fintan Ryan at RedMonk.
Apache Struts has released a patch addressing the vulnerability. However, for organizations that could potentially be affected by the flaw, simply updating may not be enough.
"The problem with deserialization vulnerabilities is that oftentimes, application code relies precisely on the unsafe deserialization routines being exploited -- therefore, anyone who is affected by this vulnerability needs to go beyond merely applying a patch and restarting the service since the patch will make changes to how the underlying application will treat incoming data. Apache mentions this in the 'Backward Compatibilty' section of S2-052. Updates that mention, 'it is possible that some REST actions stop working' is enough to cause cold sweats for IT operations folks who need to both secure their infrastructure and ensure that applications continue to function normally," Tod Beardsley, research director at Rapid7 told IBTimes UK.
"Organizations that rely on Struts to power their websites need to start that application-level testing now so as to avoid becoming the next victims in a wave of automated attacks that leverage this vulnerability," Beardsley told us.