Are you the business owner of a large enterprise like Apple, Amazon, or Microsoft? If so, you (alongside those in government agencies) likely use Apache Struts 2. Unfortunately, a critical Apache Struts vulnerability may place your company, employees, and consumers at risk, which we’ll delve further into below.
What Is Apache Struts 2?
If you use Apache Struts, you likely develop Java-based web applications on this online open-source app framework. It acts like a group of tools that structures codes and better manages applications by separating them into three distinct parts: data, presentation, and logic. In short, it helps create interactive web applications.
What Flaw Is Threatening Apache Struts Users?
Unfortunately, researchers recently found a flaw in the latter logic category, also known as a controller.
A bug has led to a critical Apache Struts vulnerability severity score of 9.5 out of 10. Any attacker who exploits this flaw can alter file upload parameters, paving the way for path traversal.
With path traversal (or directory traversal) under attack, hackers can access directories and files outside your company’s web root folder. With this, alongside remote code execution, they can steal data. Moreover, they can upload their arbitrary files, which means they can run their commands and download more payloads for further exploitations.
Reducing the Risk of Becoming Vulnerable to This Vulnerability
To prevent attackers from taking over your company system, Apache encourages users to update to the latest version available to the public. Unfortunately, that’s not the only version available since there was a proof-of-concept leak for this critical Apache Struts vulnerability.
A proof-of-concept is a demonstration or preliminary test that tests a patch to determine how attackers compromise a system and whether a developed patch is enough to prevent these vulnerabilities. If these vulnerabilities become exploited and available to the public, they highlight how hackers are currently jeopardizing systems. The test then becomes a blueprint for other hackers, increasing attacks before a patch is ready.
With this exploit further harming this middleware, experts are now claiming the best we can do is upgrade to an unflawed version of the application, such as 6.4.0. Apache also says business owners like you should rewrite your code as an additional level of security. That way, you can ensure it uses the Action File Upload mechanism and its related interceptor.
So, don’t fall victim to deploying this critical Apache Struts vulnerability. Instead, stay on top of updates from the Apache team and keep your eyes open for further patches that can protect your company!
