Security News > 2017 > March > Apache servers under attack through easily exploitable Struts 2 flaw (Help Net Security)
2017-03-09 16:23
A critical vulnerability in Apache Struts 2 is being actively and heavily exploited, even though the patch for it has been released on Monday. System administrators are encouraged to upgrade to version 2.3.32 or 2.5.10.1 as soon as possible to avoid compromise. What is Apache Struts 2, and how is the vulnerability exploited? Apache Struts 2 is an open source web application framework for developing Java EE web applications. The vulnerability (CVE-2017-5638), discovered and reported … More →
News URL
http://feedproxy.google.com/~r/HelpNetSecurity/~3/EHAnUViUdv4/
Related news
- Cross-Domain Attacks: A Growing Threat to Modern Security and How to Combat Them (source)
- Over 3 million mail servers without encryption exposed to sniffing attacks (source)
- Patch Tuesday: January 2025 Security Update Patches Exploited Elevation of Privilege Attacks (source)
- Over 660,000 Rsync servers exposed to code execution attacks (source)
- Balancing usability and security in the fight against identity-based attacks (source)
- Microsoft: Outdated Exchange servers fail to auto-mitigate security bugs (source)
- Security pros more confident about fending off ransomware, despite being battered by attacks (source)
- CISA tags Microsoft .NET and Apache OFBiz bugs as exploited in attacks (source)
- New OpenSSH flaws expose SSH servers to MiTM and DoS attacks (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2017-03-11 | CVE-2017-5638 | Improper Handling of Exceptional Conditions vulnerability in multiple products The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string. | 9.8 |