A team of security researchers at LGTM recently discovered a security flaw in Apache Struts that allows hackers to easily breach an affected server to gain access to sensitive corporate data. The weakness enables the attackers to remotely run code on server running applications using REST plugin built with Apache Struts. Reportedly, all versions of Struts since 2008 are affected. As many Fortune 100 companies use Apache Struts for providing web applications in Java to power front and back-end applications, the vulnerability could put them at risk.
The team of researchers was led by Man Yue Mo, a security researcher at LGTM. According to Mo, only a web browser is enough for a hacker as Struts is used in airline booking and internet banking systems and many such publicly accessible web applications. Semmle provided the analytical software that was used to discover the security flaw.
Semmle’s product manager Bas van Schaik, said, “I can’t stress enough how incredibly easy this is to exploit. If you know what request to send, you can start any process on the web server running a vulnerable application.”
Mo also said that the security flaw is caused due to the process of deserializing the untrusted data by Struts. Apparently, the vulnerability can be exploited by attackers to run commands on firewall protected servers. The servers can also be used to bypass the corporate firewall and access the restricted network areas.
van Schaik further said that the weakness even allows a hacker to delete the data on the network. “An attacker can use the vulnerability to find the credentials, connect to the database server, and extract all data. A creative attacker will have a field day. And even worse: The organization under attack may not even notice until it is well too late,” he added.
According to him, there was no occurrence of any exploit of this vulnerability. However, he cautioned that the public announcement of the details could change the scenario.
Reportedly, an exploit has already been developed by the researchers but they did not release it to give some time to companies to patch their systems. Apache also released a source code fix a few weeks ago and a full patch this week.