Critical vulnerability under “massive” attack imperils high-impact sites (Ars Technica)
Ars Technica is reporting that a recently patched vulnerability in the Apache Struts 2 web framework is being actively exploited in the wild."It's not clear why the vulnerability is being exploited so widely 48 hours after a patch was released. One possibility is that the Apache Struts maintainers didn't adequately communicate the risk. Although they categorize the vulnerability security rating as high, they also describe it as posing a 'possible remote code execution' risk. Outside researchers, meanwhile, have said the exploits are trivial to carry out, are highly reliable, and require no authentication. It's also easy to scan the Internet for vulnerable servers. It's also possible to exploit the bug even if a Web application doesn't implement file upload functionality."