Dec 5, 2017: The Apache Foundation released a security update yesterday for their Apache Struts webserver.
Applications using Apache Struts versions 2.5 to 2.5.14 are potentially affected by this vulnerability. A remote attacker could exploit one of these vulnerabilities to take control of an affected system.
Initial reports suggest two issues –
S2-054: The REST Plugin is using an outdated JSON-lib library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted JSON payload.
S2-055: A vulnerability was detected in the latest Jackson JSON library.
US-CERT encourages users to upgrade to Struts 2.5.14.1. As of today, there are no reports of this vulnerability being exploited in the wild.
Patch your applications
Don’t let hackers exploit this vulnerability. If you are using the vulnerable Apache Struts versions 2.5-2.5.14, update as soon as you can.
Look for a Bill of Materials (BOM) that mentions the vulnerable code. If a BOM is not available, chat with your developers to make sure there is no evidence of the vulnerable code in your applications. You may need to spend some time combing through your applications to eliminate any evidence of vulnerable code.
For companies that have a Software Composition Analysis solution, the process is much easier. An SCA tool will alert you to the new vulnerability and help you track and patch any vulnerable code in current and shipped code – in software packages, and all the way to code snippets. Close the risk window as soon as possible to keep your internal and external software secure.