The update of the Apache Struts 2.5.13 web framework, used to create Java web applications using the Model-View-Controller paradigm, is published. The release includes a critical vulnerability fix (CVE-2017-9805) that allows you to run code on the server side.
The attack can be carried out by sending a specially designed HTTP request. The vulnerability is manifested when using the REST plug-in with an XStream handler for deserializing XML blocks (this is the default).
Users are recommended to install a fix as soon as possible, because it is possible that the spring massively attacked corporate networks using Apache Struts-based applications are possible. According to statistics, about 65% of Fortune 100 companies use Struts-based applications and almost all similar enterprise applications use the REST plug-in. In particular, systems based on Apache Struts are used in companies such as Lockheed Martin, the IRS, Citigroup, Vodafone, Virgin Atlantic, Reader’s Digest, Office Depot and SHOWTIME, opennet.ru reports.
Given the prevalence of Apache Struts in the corporate environment for creating public web services (for example, Struts is used in many banking services and air ticket reservation systems), the damage from exploiting the vulnerability can be very significant. For example, the head of the security service of one of the first-tier American banks believes that attacks on Apache Struts pose a greater threat than POODLE’s vulnerability in SSL.