Stories
Slash Boxes
Comments

SoylentNews is people

posted by chromas on Saturday August 25 2018, @04:14AM   Printer-friendly
from the

validate-your-inputs");drop⠀table⠀comments;\

dept.

Submitted via IRC for Bytram & SoyCow4408

Vulnerability:

A critical remote code-execution vulnerability in Apache Struts 2, the popular open-source framework for developing web applications in the Java programming language, is threatening a wide range of applications, even when no additional plugins have been enabled. Successful exploitation could lead to full endpoint and eventually network compromise, according to researchers – who said that the flaw is more dangerous than the similar vulnerability used to compromise Equifax last year.

The vulnerability (CVE-2018-11776) was patched by the Apache Software Foundation yesterday and affects all supported versions of Struts 2: Users of Struts 2.3 should upgrade to 2.3.35; users of Struts 2.5 need to upgrade to 2.5.17. They should do so as soon as possible, given that bad actors are likely already working on exploits, according to the Semmle research team's Man Yue Mo, who uncovered the flaw.

[...] The vulnerability is caused by insufficient validation of untrusted user data in the core of the Struts framework, according to the team's findings.

Exploit:

On Friday, proof-of-concept code was released on GitHub along with a Python script that allows for easy exploitation, according to Allan Liska, senior security architect with Recorded Future.

"[We have] also detected chatter in a number of Chinese and Russian underground forums around the exploitation of this vulnerability," he wrote in a post.

[...] Liska said the Apache Struts 2 vulnerability is potentially even more damaging than a similar 2017 Apache Struts bug used to exploit Equifax.

[...] The fact that a patch is available to fix the vulnerability should give cold comfort to companies potentially impacted by the flaw, said Oege de Moor, chief operating officer at Semmle.

"The Equifax breach happened not because the vulnerability wasn't fixed, but because Equifax hadn't yet updated Struts to the latest version. If this is a true working PoC, then any company who hasn't had the time to update their software, will now be at even greater risk," de Moor said.

[Update: Additional coverage on Brian Krebs website - Ed.]


Original Submission #1Original Submission #2

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 1, Interesting) by Anonymous Coward on Saturday August 25 2018, @04:59PM

    by Anonymous Coward on Saturday August 25 2018, @04:59PM (#726262)

    There is a point at which you don't want to be reinventing the wheel. If you dynamically link to these libraries, the bugs could be fixed there independently of the main application. But some projects import specific versions of third party code into their application, perhaps even modifying it. Even if a bug is fixed in the library, the app will not receive the fix. Case in point, the pale moon people getting pissy at BSD people for daring to link with system libraries instead of the ones in their source tree.

    Starting Score:    0  points
    Moderation   +1  
       Interesting=1, Total=1
    Extra 'Interesting' Modifier   0  

    Total Score:   1