Security researchers from lgtm.com have found a significant remote code execution security flaw (CVE-2017-9805) in Apache Struts, which is a popular open-source framework created to develop web applications in the Java programming language, which supports REST, AJAX, and JSON.
All versions of Struts since 2008 are vulnerable and all web applications using the framework’s popular REST plugin are also vulnerable.
According to researchers:
“This particular vulnerability allows a remote attacker to execute arbitrary code on any server running an application built using the Struts framework and the popular REST communication plugin. The weakness is caused by the way Struts deserializes untrusted data. The lgtm security team have a simple working exploit for this vulnerability which will not be published at this stage. At the time of the announcement there is no suggestion that an exploit is publicly available, but it is likely that there will be one soon.”
Successful exploitation of the flaw could enable a hacker to gain full control of the affected server, finally letting the attacker infiltrate into other systems on the same network.
All Users are recommended to update their Apache Struts elements as a matter of urgency. This security issue has been addressed in Struts version 2.5.13.