Candlelites

Everything from Everywhere

apache struts vulnerability exposes sites to attack

apache struts vulnerability exposes sites to attack News Article With The full text news. The Resource Link is down the post and you can View this News Article in the source page.



apache struts vulnerability exposes sites to attack

the open-source apache struts 2 technology is a widely used framework component in java applications and it's currently under attack. the attacks follow the march 6 disclosure by the struts project for a remote code execution (rce) vulnerability identified as cve-2017-5638. the cve-2017-5638 issue was patched the same day as the struts project made the disclosure, though multiple security firms have observed that attackers are actively going after unpatched systems. "it is possible to perform a rce attack with a malicious content-type value," the apache struts project warns in its advisory. "if the content-type value isn't valid, an exception is thrown which is then used to display an error message to a user." john matthew holt, waratek founder and cto, commented in an email statement, that the struts vulnerability is critical because the attack can be achieved without authentication. to make matters worse, web applications don't necessarily need to successfully upload a malicious file to exploit this vulnerability, as just the presence of the vulnerable struts library within an application is enough to exploit the vulnerability."for users who have made custom changes on struts source code, it could take days or weeks to upgrade," holt stated.rapid7 is among the security vendors that are actively tracking the struts vulnerability as well as enabling organizations to test if they are at risk. rapid7 is the lead commercial sponsor behind the open-source m...