Stop us if you've heard this one: Remote code hijacking flaw in Apache Struts, patch ASAP

www.theregister.co.uk | 11/6/2018 | Staff
Click For Photo: https://regmedia.co.uk/2016/11/02/shutterstock_patch.jpg

The Apache Foundation is urging developers to update their Struts 2 installations and projects using the code – after a critical security flaw was found in a key component of the framework.

A warning this week from Apache reveals that devs should make sure their websites and other applications are running Struts versions 2.5.12, or later, to protect from exploits of CVE-2016-1000031. The vulnerability, a deserialization error that would allow unsanitized code in a Java Object to run unchecked, was found in the commons-fileupload library.

Miscreant - Flaw - Host - Control - Server

A miscreant could exploit the flaw to execute remotely on the targeted host, allowing them to potentially seize control of the server, install spyware, and cause other mischief. An attack would typically involve submitting a booby-trapped file to a vulnerable website, and waiting for Struts 2 to inadvertently execute malicious code smuggled inside the document.

"Your project is affected if it uses the built-in file upload mechanism of Struts 2, which defaults to the use of commons-fileupload," Apache said in...
(Excerpt) Read more at: www.theregister.co.uk
Wake Up To Breaking News!
Sign In or Register to comment.

Welcome to Long Room!

Where The World Finds Its News!