A critical security vulnerability in open-source server software enables hackers to easily take control of an affected server — putting sensitive corporate data at risk.
The vulnerability allows an attacker to remotely run code on servers that run applications using the REST plugin, built with Apache Struts, according to security researchers who discovered the vulnerability.
All versions of Struts since 2008 are affected, said the researchers.
Apache Struts is used across the Fortune 100 to provide web applications in Java, and it powers front- and back-end applications. Man Yue Mo, a security researcher at LGTM, who led the effort that led to the bug’s discovery, said that Struts is used in many publicly accessible web applications, such as airline booking and internet banking systems.
Mo said that all a hacker needs “is a web browser.”
“I can’t stress enough how incredibly easy this is to exploit,” said Bas van Schaik, product manager at Semmle, a company whose analytical software was used to discover the vulnerability.
“If you know what request to send, you can start any process on the web server running a vulnerable application,” he said.
The vulnerability is caused by how Struts deserializes untrusted data, Mo said. An attacker can exploit the flaw to run any command on an affected Struts server, even behind a company firewall. “If the server contains customer or user data it’s not hard at all to collect that data and transfer it to somewhere else,” van Schaik said. The attacker can also use the server as an entry point to other areas of the network, effectively bypassing the corporate firewall and gaining access to other shielded-off areas of the company, he said.