An estimated 65% of Fortune 100 companies could be vulnerable to a security bug discovered in Apache Struts, a popular Java MVC framework used in the development of many top-grade enterprise applications.
Man Yue Mo, a security with lgtm.com, found this flaw — tracked under the identifier of CVE-2017-9805. The vulnerability resides in Apache Struts’ REST plugin, a must-have in almost all Struts enterprise deployments.
According to the researcher, the weakness is caused by the way Struts deserializes unsanitized user-supplied data. An attacker could upload a malformed file and take over an application after gaining remote code execution rights on the target’s Struts-based application server.
Attackers can exploit the bug via HTTP requests or via any other socket connection.
Mo said he contacted the Apache Foundation and reported the flaw in private. On Monday, the Apache Struts team released Apache Struts v2.5.13, which includes a fix for CVE-2017-9805.
The researcher said neither he nor lgtm.com have detected attacks that tried to exploit this vulnerability. No publicly available exploit code was available at the time of the Apache Struts and lgtm.com announcements, but this will most likely change in the following days. [UPDATE: Here it is.]
Lockheed Martin, the IRS, Citigroup, Vodafone, Virgin Atlantic, Reader’s Digest, Office Depot, and SHOWTIME are among the organizations known to have used Struts for their infrastructure.
“This illustrates how widespread the risk is,” said Bas van Schaik, a lgtm.com spokesperson.
This type of “deserialize” vulnerability has plagued the Java landscape since early 2015, and has been recently discovered to affect .NET applications as well.
The Java deserialization flaw was so dangerous that Google engineers banded together in their free time to repair open-source Java libraries and limit the flaw's reach, patching over 2,600 projects. Internally at Google, the flaw was referenced to as Mad Gadget, but the world referred to it as the Java Apocalypse.