Home Resources Blog New Apache Struts RCE Flaws Lets Hackers Take Over Web Servers

New Apache Struts RCE Flaws Lets Hackers Take Over Web Servers

Nesh (Steven Puddephatt), Senior Solutions Engineer @ GlobalDots
24.08.2018
image 1 Min read

Semmle security researcher Man Yue Mo has disclosed a critical remote code execution vulnerability in the popular Apache Struts web application framework that could allow remote attackers to run malicious code on the affected servers.

Apache Struts is an open source framework for developing web applications in the Java programming language and is widely used by enterprises globally, including by 65 percent of the Fortune 100 companies, like Vodafone, Lockheed Martin, Virgin Atlantic, and the IRS.

The vulnerability (CVE-2018-11776) resides in the core of Apache Struts and originates because of insufficient validation of user-provided untrusted inputs in the core of the Struts framework under certain configurations.

The newly found Apache Struts exploit can be triggered just by visiting a specially crafted URL on the affected web server, allowing attackers to execute malicious code and eventually take complete control over the targeted server running the vulnerable application.

Your Apache Struts implementation is vulnerable to the reported RCE flaw if it meets the following conditions:

  • The alwaysSelectFullNamespace flag is set to true in the Struts configuration.
  • Struts configuration file contains an “action” or “url” tag that does not specify the optional namespace attribute or specifies a wildcard namespace.

According to the researcher, even if an application is currently not vulnerable, “an inadvertent change to a Struts configuration file may render the application vulnerable in the future.”

Image Source

Read more: The Hacker News

Learn More

What is FinOps? The Complete Guide
Cloud Cost Optimization
Nesh (Steven Puddephatt), Senior Solutions Engineer @ GlobalDots 31.05.23

While cloud-computing supports immense innovation – providing limitless resources in the pursuit of greater output and agility – public cloud end-user spending is projected to reach a staggering $600 billion this year. Hyperscale cloud vendors remain driving forces behind this growth, having proven their salt as highly strategic launchpads for digital transformation. The competition for […]

Read more
Cloud Cost Optimization: A Strategic Approach to Business Expansion
Cloud Cost Optimization
Francesco Altomare, Southern Europe Regional Manager @ GlobalDots 18.05.23

FinOps is a strategic framework designed to manage and optimize cloud costs effectively. It’s a transformative approach that brings financial accountability to the forefront of the variable spend model of cloud computing. This model allows businesses to gain a firm grip on their cloud expenses, ensuring that every dollar spent is accounted for and utilized […]

Read more
AWS Data Transfer Cost Optimization: Everything You Need to Know
Cloud Cost Optimization
Nesh (Steven Puddephatt), Senior Solutions Engineer @ GlobalDots 17.05.23

While AWS services provide a wealth of mission-critical services – storing over 2.2 trillion objects in S3 – many organizations are left floundering in the solution’s complex pricing structures. Spanning transfer types and geographies, data transfer costs can be hugely unpredictable and rapidly get out of hand.  Below, we leverage decades of industry experience to […]

Read more
Unlock Your Cloud Potential
Schedule a call with our experts. Discover new technology and get recommendations to improve your performance.
Book a Demo