In 2017 a critical in Apache Struts2 was leveraged by cyber attackers to breach Equifax web servers and steal personal identifiable information on 147 million Americans.
The security flaw makes it possible for an attacker to remotely execute code on the vulnerable server and can provide an entry point into your network. Proof of Concept code is already available online for hackers to use and modify to initiate attacks.
The vulnerability affects all supported versions of Apache Structs2 with certain configurations.
Semmle stated for your application to be vulnerable to the attack vectors described below, both of the following conditions should hold:
1. The alwaysSelectFullNamespace flag is set to true in the Struts configuration. Note that this is automatically the case if your application uses the popular Struts Convention plugin.
2. Your application uses actions that are configured without specifying a namespace, or with a wildcard namespace (e.g. “/*”). This applies to actions and namespaces specified in the Struts configuration file (e.g. <package namespace=”main”>), but also to actions and namespaces specified in Java code if you are using the Struts Convention plugin.
It is important to patch your systems immediately as this is a critical flaw which is quite easy to exploit. Users of Struts 2.3 are advised to upgrade to 2.3.35; users of Struts 2.5 should upgrade to 2.5.17.