'Critical' Security Flaw Found In Plugin Used by Everyone From the IRS to Vodafone

By Kate Conger on at

A newly-discovered vulnerability in a popular open-source framework could put major companies’ data at risk of theft or deletion, according to researchers who revealed the bug.

The vulnerability, first reported by ZDNet, affects versions of the Apache Struts REST plugin dating back to 2008. The plugin is used in many web applications, but hackers could take advantage of the vulnerability to gain access to a company’s server.

“This particular vulnerability allows a remote attacker to execute arbitrary code on any server running an application built using the Struts framework and the popular REST communication plugin,” Bas van Schaik, a product manager for researchers from lgtm wrote in a post announcing the vulnerability. “Organisations like Lockheed Martin, the IRS, Citigroup, Vodafone, Virgin Atlantic, Reader’s Digest, Office Depot, and SHOWTIME are known to have developed applications using the framework.”

Apache Struts made a patch available yesterday. However, van Schaik warns that, shortly after the patch became available, working exploits for the vulnerability emerged online—so companies will need to patch as soon as possible.

Patching issues with Struts can be tricky, Ars Technica reported after another critical Struts vulnerability was discovered in March. An app may need to be recompiled completely rather than just a quick patch installation.

“This vulnerability poses a huge risk, because the framework is typically used for designing publicly-accessible web applications. Struts is used in several airline booking systems as well as a number of financial institutions who use it in Internet banking applications,” said lgtm security researcher Man Yue Mo. “On top of that, it is incredibly easy for an attacker to exploit this weakness: all you need is a web browser. Organisations who use Struts should upgrade their components immediately.” [ZDNet/lgtm]