Security News > 2020 > August > PoC Exploit Targeting Apache Struts Surfaces on GitHub
Proof-of-concept exploit code surfaced on GitHub on Friday, raising the stakes on two existing Apache Struts 2 bugs that allow for remote code-execution and denial-of-service attacks on vulnerable installations.
Remediation includes upgrading to Struts 2.5.22, according to the Apache Struts Security Team.
Researchers have warned of outdated installations of Apache Struts 2 and that if left unpatched they can open the door to more critical holes similar to a bug at the root of the massive Equifax breach, which was also an Apache Struts 2 flaw.
While the PoC attack and exploit posted to GitHub targets CVE-2019-0230, the Apache Struts Security Team also urged users to patch for the DoS bug.
The Apache security bulletin recommends upgrading to the most recent version of Apache Struts.
News URL
https://threatpost.com/poc-exploit-github-apache-struts/158393/
Related news
- Critical security hole in Apache Struts under exploit (source)
- 390,000+ WordPress Credentials Stolen via Malicious GitHub Repository Hosting PoC Exploits (source)
- New critical Apache Struts flaw exploited to find vulnerable servers (source)
- Patch Alert: Critical Apache Struts Flaw Found, Exploitation Attempts Detected (source)
- PoC exploit for critical WhatsUp Gold RCE vulnerability released (CVE-2024-8785) (source)
- Mitel MiCollab zero-day and PoC exploit unveiled (source)
- PoC exploit chains Mitel MiCollab 0-day, auth-bypass bug to access sensitive files (source)
- Apache issues patches for critical Struts 2 RCE bug (source)
- Adobe warns of critical ColdFusion bug with PoC exploit code (source)
- LDAPNightmare PoC Exploit Crashes LSASS and Reboots Windows Domain Controllers (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-09-14 | CVE-2019-0230 | Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. | 9.8 |