Critical Apache Struts 2 flaw exposes servers to remote command execution
A critical vulnerability has been discovered in all supported versions of Apache Struts 2. The bug, made public by Semmle, allows attackers to execute commands on vulnerable servers using just a web browser. The Apache Software Foundation has released updates to fix the issue, but organizations are urged to patch immediately to avoid potential data theft or further attacks.
The vulnerability affects Struts 2 versions 2.3 and 2.5, with specific upgrade paths provided. Exploiting the bug requires only sending a specific request to the vulnerable server. In 2017, a similar Struts flaw was exploited by attackers within days of the patch release, leading to the Equifax data breach that exposed 147 million Americans' personal data. More technical details about the bug can be found from its discoverer, Man Yue Mo. The Apache Software Foundation's advisory for the bug is available online.
Organizations are advised to apply the Apache Struts updates released on Aug. 22 to protect against this critical vulnerability. Failure to patch could leave systems exposed to attacks, potentially resulting in data theft or further compromise.
