A Critical Apache Struts Security Flaw Makes It 'Easy' To Hack Fortune 100 Firms (zdnet.com) 42
An anonymous reader quotes a report from ZDNet: A critical security vulnerability in open-source server software enables hackers to easily take control of an affected server -- putting sensitive corporate data at risk. The vulnerability allows an attacker to remotely run code on servers that run applications using the REST plugin, built with Apache Struts, according to security researchers who discovered the vulnerability. All versions of Struts since 2008 are affected, said the researchers. Apache Struts is used across the Fortune 100 to provide web applications in Java, and it powers front- and back-end applications. Man Yue Mo, a security researcher at LGTM, who led the effort that led to the bug's discovery, said that Struts is used in many publicly accessible web applications, such as airline booking and internet banking systems. Mo said that all a hacker needs "is a web browser." "I can't stress enough how incredibly easy this is to exploit," said Bas van Schaik, product manager at Semmle, a company whose analytical software was used to discover the vulnerability. The report notes that "a source code fix was released some weeks prior, and Apache released a full patch on Tuesday to fix the vulnerability." It's now a waiting game for companies to patch their systems.
Re: (Score:1)
You want a similar SAP vuln? It's been reported but the company, rather than mitigate it, said that SAP wasn't intended for use on the open internet and should be behind a VPN.
Shrug.
Re: (Score:2)
And besides it's already been fixed. Ever seen Windows fixed that fast when a vulnerability is found? I didn't think so.
Re: (Score:3)
When the whole world can scour the code to find vulns, it has to be safe, right? Nobody will find those obscure bugs and use them for nefarious purposes, nope, never happen.
Because you'd rather only know about this shit when the NSA gets hacked??
Struts was garbage (Score:1)
It took a simple web page and split it over multiple config files. And it did little to help larger ones. It should never have been used. But has been considered obsolete for some time now.
Re: (Score:2)
Re: (Score:2)
Oh, that's actually simple to answer. To the very last man, they'd all rather die than do anything that helps their competition even one tiny bit, even if they would have come out well ahead in the end. They simply don't buy into the old "a rising tide raises all ships" adage, and they're not interested enough in benevolent gestures to even invest serious time finding out it's true.
Re: (Score:1)
A rising tide raises all ships, so the other captains will have to come up with a solution and then we'll just piggy-back it.
Re: (Score:2)
Why can't these billion-dollar companies create a consortium to make a systematic audit of such code from start to finish? They'd all benefit enormously.
The same reason they are using crap software in the first place. Big business is like overfed government agencies extremely incompetent and inefficient.
Re: (Score:1)
Re: (Score:2)
Sounds like only people who didn't keep up with security bulletins would be affected.
Well, Java devs tend to bundle libraries instead of loading them dynamically so these can be quite hard to patch without a security person on a CI team.
On another note, 12 hours go by and only troll posts? What the fuck is happening to Slashdot...
It's almost 2018 and we still have to wait five minutes between posts and there's no unicode support. The kinds of things that make Facebook and Reddit unpopular.
Struts is useful for one thing today... (Score:2)
Screening out new hires. We had a candidate say he'd use Struts for a new project, and that was 2015. Needless to say, he never dug out of that rut in the interview. Any non-junior Java application developer who doesn't have Grails, Play, Spring Boot or DropWizard experience is an automatic "don't hire, next" for every Java team I have met that was halfway decent or better.
Sanitize your inputs (Score:1)
Mad Gadget (Score:2)