Security researchers from lgtm.com have discovered a major remote code execution security flaw (CVE-2017-9805) in Apache Struts, which is a well-liked open-source framework created to develop internet purposes in the Java programming language, which helps REST, AJAX, and JSON.
All variations of Struts since 2008 are weak and all internet purposes utilizing the framework’s fashionable REST plugin are additionally weak.
According to researchers:
“This particular vulnerability allows a remote attacker to execute arbitrary code on any server running an application built using the Struts framework and the popular REST communication plugin. The weakness is caused by the way Struts deserializes untrusted data. The lgtm security team have a simple working exploit for this vulnerability which will not be published at this stage. At the time of the announcement there is no suggestion that an exploit is publicly available, but it is likely that there will be one soon.”
Successful exploitation of the flaw might allow a hacker to achieve full management of the affected server, lastly letting the attacker infiltrate into different programs on the identical network.
All Users are beneficial to replace their Apache Struts parts as a matter of urgency. This security situation has been addressed in Struts model 2.5.13.