Experts Urge Rapid Patching of ‘Struts’ Bug


In September 2017, **Equifax** disclosed that a failure to patch one of its Internet servers against a pervasive software flaw -- in a Web component known as **Apache Struts** -- led to a breach that [exposed personal data on 147 million Americans](<https://krebsonsecurity.com/2017/09/the-equifax-breach-what-you-should-know/>). Now security experts are warning that blueprints showing malicious hackers how to exploit a newly-discovered Apache Struts bug are available online, leaving countless organizations in a rush to apply new updates and plug the security hole before attackers can use it to wriggle inside. ![](https://krebsonsecurity.com/wp-content/uploads/2018/08/apache.png) On Aug. 22, the **Apache Software Foundation** released software updates to fix [a critical vulnerability](<https://cwiki.apache.org/confluence/display/WW/S2-057>) in Apache Struts, a Web application platform used by an estimated 65 percent of Fortune 100 companies. Unfortunately, computer code that can be used to exploit the bug has since been posted online, meaning bad guys now have precise instructions on how to break into vulnerable, unpatched servers. Attackers can exploit a Web site running the vulnerable Apache Struts installation using nothing more than a Web browser. The bad guy simply needs to send the right request to the site and the Web server will run any command of the attacker's choosing. At that point, the intruder could take any number of actions, such as adding or deleting files, or copying internal databases. An [alert](<https://semmle.com/news/apache-struts-CVE-2018-11776>) about the Apache security update was posted Wednesday by **Semmle**, the San Francisco software company whose researchers discovered the bug. "The widespread use of Struts by leading enterprises, along with the proven potential impact of this sort of vulnerability, illustrate the threat that this vulnerability poses," the alert warns. "Critical remote code execution vulnerabilities like the one that affected Equifax and the one we announced today are incredibly dangerous for several reasons: Struts is used for publicly-accessible customer-facing websites, vulnerable systems are easily identified, and the flaw is easy to exploit," wrote Semmle co-founder **Pavel Avgustinov**. "A hacker can find their way in within minutes, and exfiltrate data or stage further attacks from the compromised system. It’s crucially important to update affected systems immediately; to wait is to take an irresponsible risk." The timeline in the 2017 Equifax breach highlights how quickly attackers can take advantage of Struts flaws. On March 7, 2017, Apache released a patch for a similarly dangerous Struts flaw, and within 24 hours of that update security experts began tracking signs that attackers were exploiting vulnerable servers. Just three days after the patch was released, attackers found Equifax's servers were vulnerable to the Apache Struts flaw, and used the vulnerability as an initial entry point into the credit bureau's network. [![](https://krebsonsecurity.com/wp-content/uploads/2018/08/equifaxhack.png)](<https://krebsonsecurity.com/wp-content/uploads/2018/08/equifaxhack.png>) A slide from "We are all Equifax," an RSA talk given in April 2018 by Derek Weeks. The vulnerability affects all supported versions of Struts 2. Users of Struts _2.3_ should upgrade to version _2.3.35;_ users of Struts _2.5_ should upgrade to _2.5.17_. More technical details about this bug from its discoverer, **Man Yue Mo**, are [here](<https://lgtm.com/blog/apache_struts_CVE-2018-11776>). The Apache Software Foundation's advisory is [here](<https://cwiki.apache.org/confluence/display/WW/S2-057>).