Critical Security Advisory for Struts2 Users
On July 20, the National Vulnerability Database disclosed a serious vulnerability in Struts2, which includes all versions up to 2.3.15. This vulnerability is similar to other recent "expression language injection" vulnerabilities in Struts2, except that ALL implementations are vulnerable, regardless of configuration or application coding.
Given the widespread usage of Struts and the critical nature of this vulnerability, it is imperative that affected organizations take action. This vulnerability can allow immediate, unauthenticated remote code execution for which exploits are being widely circulated. A successful exploit allows complete control of a vulnerable application server, allowing the compromise of sensitive data, manipulation of the web application, and the use of the compromise to further penetrate sensitive infrastructure.
Published exploits could be made (and likely are) into a worm, like Code Red, with minimal effort. While there are several possible approaches to dealing with this vulnerability, upgrading Struts2 to the latest version is the most effective.
This disclosure highlights the importance of maintaining a comprehensive inventory of applications and their bills of material so that response to disclosures such as this can be targeted efficiently and remediated quickly.
Next Steps to Manage your Vulnerability
|Register for Sonatype Advisories.|
|Request assistance with the Struts vulnerability.|
|Learn more about the FBI Warning.|
|Review all advisories.|