BLOG HOME > Apache Struts Vulnerability: What You Should Do

Apache Struts Vulnerability: What You Should Do

By: Michael Monsivais, CISSP

What is the Apache Struts Vulnerability?

You may have seen news reports of a serious security vulnerability in Apache Struts 2, which is a popular open-source framework developers use to create web applications. 

The Apache Struts project has just released a security bulletin about a new critical vulnerability in the Apache Struts web application framework.

The identified vulnerability could allow an unauthenticated remote attacker to execute malicious code on affected systems. At the time of the bulletin's release, all installations of Apache Struts were vulnerable.

The vulnerability, identified by Semmle Security Researcher Man Yue Mo, is reminiscent of other Apache Struts vulnerabilities from recent history. It’s a result of the web application framework failing to validate user input before passing it to sensitive internal functions. 

The same type of issue led to CVE-2016-3081, and CVE-2016-4438, two other related Apache Struts vulnerabilities. "Effectively the same issue took three attempts to fix,” says Man Yue Mo.

Remote Code Execution (RCE) vulnerabilities like this can have dire consequences, especially in this case, when it may be possible for an unauthenticated attacker to exploit it. Successfully exploiting a RCE vulnerability could allow the attacker to run arbitrary programs, retrieve source code, or exfiltrate data from the application's database. 

It was also an Apache Struts RCE vulnerability (CVE-2017-5638) that led to the Equifax breach.

Join Thousands of Security Professionals and Subscribe


What should you do to avoid a data breach?

You should update to the latest version of Apache Struts. All versions of Apache Struts, except for 2.3.35 and  2.5.17, which were released yesterday, are affected. 

Because all versions of Apache Struts are affected by this issue, you are vulnerable and likely exploitable if you have not updated to the most current versions.

The Apache Struts project suggests that exploits may be prevented by adjusting application code. However, they consider this a “weak workaround", and they ask that you upgrade to Apache Struts version 2.3.35 or 2.5.17 as soon as possible, because they also contain critical overall proactive security improvements.

Michael Monsivais is a Senior Penetration Tester at SecurityMetrics. He holds a Certified Information Systems Security Professional (CISSP) certification. He has 8 years experience Penetration Testing and 12 years in System Administration.

Download the latest guide to PCI Compliance

Download now

We are excited to work with you.


Thank you!

Your request has been submitted.