Security News > 2020 > August > Potential Apache Struts 2 RCE flaw fixed, PoCs released
Have you already updated your Apache Struts 2 to version 2.5.22, released in November 2019? You might want to, and quickly, as information about a potential RCE vulnerability and PoC exploits for it have been published.
"We continue to urge developers building upon Struts 2 to not use % syntax referencing unvalidated user modifiable input in tag attributes, since this is the ultimate fix for this class of vulnerabilities," René Gielen, Struts Project Management Committee chair, added.
Apache Struts 2 is a widely-used open source web application framework for developing Java EE web applications.
A few years ago, analyst Fintan Ryan at RedMonk estimated that nearly 65% of Fortune 100 firms actively use web applications built with the Apache Struts framework.
A security hole in Apache Struts 2 is how hackers managed to get in to execute the infamous 2017 Equifax data breach, after the company's site administrators failed to quickly implement the security update that fixed it.
News URL
http://feedproxy.google.com/~r/HelpNetSecurity/~3/bi7qa4GgFhU/
Related news
- Apache issues patches for critical Struts 2 RCE bug (source)
- New critical Apache Struts flaw exploited to find vulnerable servers (source)
- Critical security hole in Apache Struts under exploit (source)
- Patch Alert: Critical Apache Struts Flaw Found, Exploitation Attempts Detected (source)
- PoC exploit for critical WhatsUp Gold RCE vulnerability released (CVE-2024-8785) (source)
- Apache Tomcat Vulnerability CVE-2024-56337 Exposes Servers to RCE Attacks (source)
- Apache MINA CVE-2024-52046: CVSS 10.0 Flaw Enables RCE via Unsafe Serialization (source)