Proof-of-Concept Released for Apache Struts VulnerabilityProof-of-Concept Released for Apache Struts Vulnerability
It took less than five days for proof of concept code exploiting the latest Apache Struts vulnerability to hit Github
August 27, 2018

That didn't take long: Last week, the Apache Foundation reported that a new serious vulnerability had been found in Struts. This week, proof-of-concept code for the flaw, including a Python script for easier code deployment, was found available on Github.
Unlike vulnerabilities that led to breaches like that at Equifax, this Struts vulnerability is the result of a specific configuration rather than a set of add-ins. While no exploit code had been found "in the wild" at the time of the original notice, the proof-of-concept code placed on Github is likely to shorten the interval until real exploitation is attempted by an attacker.
Meanwhile, Python code that probes for the vulnerabilities has been published to Github as well. A cursory examination of the Python script shows it is simple to check for the vulnerable configuration; the actual work is done in less than 20 lines of code.
Allan Liska, senior security architect at Recorded Future, says that exploiting the vulnerability now means that "a simple, well-crafted URL is enough to give an attacker access to a victim's Apache Struts installation. There is already exploit code on Github, and underground forums are talking about how to exploit it."
He warns that many large organizations may be unaware they are at risk, "because Struts underpins a number of different systems, including Oracle and Palo Alto."
All Apache Struts users have been urged to update to versions 2.3.35 or 2.5.17 as rapidly as possible to avoid exposure to a remote code execution attack exploiting the vulnerability.
Related Content:
About the Author
You May Also Like
Uncovering Threats to Your Mainframe & How to Keep Host Access Secure
Feb 13, 2025Securing the Remote Workforce
Feb 20, 2025Emerging Technologies and Their Impact on CISO Strategies
Feb 25, 2025How CISOs Navigate the Regulatory and Compliance Maze
Feb 26, 2025Where Does Outsourcing Make Sense for Your Organization?
Feb 27, 2025