RCE or Remote Code Execution flaws can give hackers complete control of systems. Companies that use the Apache Struts framework, most of which are fortune 100 companies, need to be wary of the problem as there are already proof-of-concept code flying around. In the hacking world, this might already be old news so chop-chop.

The Apache Struts vulnerability (CVE-2018-11776) lies within the core which is why it’s important for system administrators to update their version as soon as possible. Versions that are affected include Struts 2.3 to Struts 2.3.34, and Struts 2.5 to Struts 2.5.16. The flaw is due to insufficient validation of user-provided untrusted inputs under the following configurations:

• the alwaysSelectFullNamespace flag is set to true
• the configuration file contains an “action” or “url” tag that does not specify the optional namespace attribute or specifies a wildcard namespace

…which can be triggered when the hacker creates a specially-crafted URL.

The impact of this new RCE flaw in Apache Struts cannot be understated as a similar flaw codenamed (CVE-2017-5638) is what gave hackers access to the data of over 145 million Equifax customers, touted as one of history’s largest data breaches. The Equifax hack was a very big thing last year as it exposed millions of full names, birth dates and social security numbers to cyber criminals, all of which can be used to gain access to unsecure financial accounts of individuals.

Again, it’s important for administrators to immediately patch their systems as Equifax had two months to do so when a patch for the vulnerability was made available. But apart from the RCE flaw, there were other security flaws involved exposed during the investigation.

“I didn’t have to do anything fancy,” the researcher told Motherboard, explaining that the site was vulnerable to a basic “forced browsing” bug. The researcher requested anonymity out of professional concerns. “”All you had to do was put in a search term and get millions of results, just instantly—in cleartext, through a web app,” they said.

In total, the researcher downloaded the data of hundreds of thousands of Americans in order to show Equifax the vulnerabilities within its systems. They said they could have downloaded the data of all of Equifax’s customers in 10 minutes: “I’ve seen a lot of bad things, but not this bad.”

— Motherboard, October 2017

A patch for this vulnerability is already available and users are advised to upgrade to versions 2.3.35 and 2.5.17 as soon as possible. Proof-of-concept code is already flying around the hacker community to exploit (CVE-2017-5638).

Apache Struts is in use by 65 percent of the Fortune 100 companies. These include the IRS, Lockheed Martin, Virgin Atlantic and Vodafone. Struts is used to develop web applications using Java, still in widespread use but criticized for its security flaws.

The post New RCE Flaw in Apache Struts Could Be Another Equifax in the Making appeared first on Hack Ware News.